From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: perhaps obvious question: auditd and setuid/setgid?
Date: Fri, 04 Sep 2015 12:20:38 -0400 [thread overview]
Message-ID: <2447871.tML4uAQppZ@x2> (raw)
In-Reply-To: <55E9B0B7.9040607@gmail.com>
On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
> I was specifically wondering if I was missing the appropriate syscall
> for the use of setuid or setgid.
>
>From a brief examination and test, this appears to not be the case?
There are a couple ways to do this. One is using the find method. However, that
does not take into account file system based capabilities. In the lab I taught
this week, the rules generator also included this:
filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -
F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules
filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x
-F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules
filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
But, if all you want is setuid, then you can use a rule like this instead of
file watches:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0
-Steve
> On 09/02/2015 10:32 PM, rshaw1@umbc.edu wrote:
> >> I'm currently testing auditd with rules for setuid or setgid binaries on
> >> the system.
> >>
> >> I currently maintain the list via find, and pushing the results to a
> >> audit.rules file.
> >>
> >> I'm hoping there's a cleaner way, perhaps by triggering on the
> >> appropriate syscall -- but have not discovered it.
> >>
> >> Is there an easier method?
> >
> > The find method is what I use (though I push it to a file in rules.d and
> > then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using
> > find to generate these rules is actually in the text of, IIRC, at least
> > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> > automated as the way I do it.
> >
> > --Ray
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2015-09-04 16:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-02 23:06 perhaps obvious question: auditd and setuid/setgid? John Jasen
2015-09-03 2:32 ` rshaw1
2015-09-04 14:54 ` John Jasen
2015-09-04 16:20 ` Steve Grubb [this message]
2015-09-04 17:36 ` John Jasen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2447871.tML4uAQppZ@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).