From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: perhaps obvious question: auditd and setuid/setgid?
Date: Fri, 04 Sep 2015 12:20:38 -0400
Message-ID: <2447871.tML4uAQppZ@x2>
References: <55E780DE.80400@gmail.com>
	<cf862b019d9d310f8c605a804d778428.squirrel@webmail.umbc.edu>
	<55E9B0B7.9040607@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <55E9B0B7.9040607@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
> I was specifically wondering if I was missing the appropriate syscall
> for the use of setuid or setgid.
> 
>>From a brief examination and test, this appears to not be the case?

There are a couple ways to do this. One is using the find method. However, that 
does not take into account file system based capabilities. In the lab I taught 
this week, the rules generator also included this:


filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -
F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules

filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x 
-F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules

filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F 
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> 
priv.rules

filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F 
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> 
priv.rules


But, if all you want is setuid, then you can use a rule like this instead of 
file watches:

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0

-Steve


> On 09/02/2015 10:32 PM, rshaw1@umbc.edu wrote:
> >> I'm currently testing auditd with rules for setuid or setgid binaries on
> >> the system.
> >> 
> >> I currently maintain the list via find, and pushing the results to a
> >> audit.rules file.
> >> 
> >> I'm hoping there's a cleaner way, perhaps by triggering on the
> >> appropriate syscall -- but have not discovered it.
> >> 
> >> Is there an easier method?
> > 
> > The find method is what I use (though I push it to a file in rules.d and
> > then run augenrules, which for RHEL5/6 I just stole from RHEL7).  Using
> > find to generate these rules is actually in the text of, IIRC, at least
> > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> > automated as the way I do it.
> > 
> > --Ray
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit