From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jender, Raymond [USA]" Subject: audit.rules Date: Wed, 8 Feb 2012 14:30:07 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7400761478609951658==" Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q18EUAkr009617 for ; Wed, 8 Feb 2012 09:30:10 -0500 Received: from mclniron01-ext.bah.com (mclniron01-ext.bah.com [128.229.5.20]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q18EU9OJ017138 for ; Wed, 8 Feb 2012 09:30:09 -0500 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============7400761478609951658== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CBE27145EEB9CA47861450F78CF3D7CC04FE83C8ASHBDAG2M3resou_" --_000_CBE27145EEB9CA47861450F78CF3D7CC04FE83C8ASHBDAG2M3resou_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable How would you set up audit.rules to log any action by administrators? Thanks, Ray --_000_CBE27145EEB9CA47861450F78CF3D7CC04FE83C8ASHBDAG2M3resou_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

How would you set up audit.rules to log  any ac= tion by administrators?

 

Thanks,

 

Ray

 

--_000_CBE27145EEB9CA47861450F78CF3D7CC04FE83C8ASHBDAG2M3resou_-- --===============7400761478609951658== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7400761478609951658==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: audit.rules Date: Wed, 8 Feb 2012 09:59:17 -0500 Message-ID: <201202080959.18086.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Jender, Raymond [USA]" List-Id: linux-audit@redhat.com On Wednesday, February 08, 2012 09:30:07 AM Jender, Raymond [USA] wrote: > How would you set up audit.rules to log any action by administrators? You can use pam_tty_audit. Sudo is also patched to log the comands run by it. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: audit.rules Date: Wed, 8 Feb 2012 08:53:44 -0800 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q18H2XGv016118 for ; Wed, 8 Feb 2012 12:02:33 -0500 Received: from mail-iy0-f174.google.com (mail-iy0-f174.google.com [209.85.210.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q18H2WKb031986 for ; Wed, 8 Feb 2012 12:02:32 -0500 Received: by iacb35 with SMTP id b35so1415617iac.33 for ; Wed, 08 Feb 2012 09:02:31 -0800 (PST) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Jender, Raymond [USA]" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com I think there are a few ways you can do this with auditd: (These both assume you've setup pam_loginuid) If your admins are a finite set of uids, you could do something like auditctl -a exit,always -F auid=3D -F success=3D1 auditctl -a exit,always -F auid=3D -F success=3D1 ... auditctl -a exit,always -F auid=3D -F success=3D1 or if by administrators you mean actions run as root (eg, with sudo or su), you can do something like auditctl -a exit,always -F auid=3D!0 -F euid=3D0 -F success=3D1 You'll probably want to restrict which syscalls you care about, eg open/execve/chmod/unlink whatever. Those rules as they're written will log a lot more than you likely want. On Wed, Feb 8, 2012 at 6:30 AM, Jender, Raymond [USA] wrote: > How would you set up audit.rules to log =A0any action by administrators? > > > > Thanks, > > > > Ray > > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- = Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 Security Engineer=A0 pgp:0xC3410038 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: audit.rules Date: Wed, 8 Feb 2012 13:40:33 -0500 Message-ID: <201202081340.33499.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Jender, Raymond [USA]" List-Id: linux-audit@redhat.com On Wednesday, February 08, 2012 11:53:44 AM Peter Moody wrote: > I think there are a few ways you can do this with auditd: > > (These both assume you've setup pam_loginuid) > > If your admins are a finite set of uids, you could do something like > > auditctl -a exit,always -F auid= -F success=1 > auditctl -a exit,always -F auid= -F success=1 > ... > auditctl -a exit,always -F auid= -F success=1 This audits all syscalls of all programs run by the admin. Normally, this is not what people want or desire. Normally when its asked about how you log administrative actions, the intended effect is something like the bash history file. They want to know just what the admin did. Unfortunately, this can be easily tricked. The admin can open wish or a python shell and just start typing commands. This does not get recorded in a bash history. So, what you have to do is record the keystrokes. A lot of times these security requirements come from places where they run both windows and linux. So, it sounds innocent. But think about windows. There are only so many apps and its not like the OS depends on shell scripting. So, what sounds like an easy to do requirement in windows becomes impossible in linux. You have so many execve's with normal shell scripts that you get way more data than you want if you audit on execve. So, the basic answer is that to weed this down to just the good stuff, you need to do the keystroke logging or if everything is defined in sudo commands, then sudo will take care of this for you. > or if by administrators you mean actions run as root (eg, with sudo or > su), you can do something like > > auditctl -a exit,always -F auid=!0 -F euid=0 -F success=1 Again a mountain of data is not good for people. I think there is a clarification to NISPOM that says too much data is just as bad as not enough data. Making searching hard to find what you are after is tatamount to not recording it becuase you can't find it later. -Steve