* perhaps obvious question: auditd and setuid/setgid? @ 2015-09-02 23:06 John Jasen 2015-09-03 2:32 ` rshaw1 0 siblings, 1 reply; 5+ messages in thread From: John Jasen @ 2015-09-02 23:06 UTC (permalink / raw) To: linux-audit I'm currently testing auditd with rules for setuid or setgid binaries on the system. I currently maintain the list via find, and pushing the results to a audit.rules file. I'm hoping there's a cleaner way, perhaps by triggering on the appropriate syscall -- but have not discovered it. Is there an easier method? ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: perhaps obvious question: auditd and setuid/setgid? 2015-09-02 23:06 perhaps obvious question: auditd and setuid/setgid? John Jasen @ 2015-09-03 2:32 ` rshaw1 2015-09-04 14:54 ` John Jasen 0 siblings, 1 reply; 5+ messages in thread From: rshaw1 @ 2015-09-03 2:32 UTC (permalink / raw) To: John Jasen; +Cc: linux-audit > I'm currently testing auditd with rules for setuid or setgid binaries on > the system. > > I currently maintain the list via find, and pushing the results to a > audit.rules file. > > I'm hoping there's a cleaner way, perhaps by triggering on the > appropriate syscall -- but have not discovered it. > > Is there an easier method? The find method is what I use (though I push it to a file in rules.d and then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using find to generate these rules is actually in the text of, IIRC, at least one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as automated as the way I do it. --Ray ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: perhaps obvious question: auditd and setuid/setgid? 2015-09-03 2:32 ` rshaw1 @ 2015-09-04 14:54 ` John Jasen 2015-09-04 16:20 ` Steve Grubb 0 siblings, 1 reply; 5+ messages in thread From: John Jasen @ 2015-09-04 14:54 UTC (permalink / raw) To: linux-audit I was specifically wondering if I was missing the appropriate syscall for the use of setuid or setgid. >From a brief examination and test, this appears to not be the case? On 09/02/2015 10:32 PM, rshaw1@umbc.edu wrote: >> I'm currently testing auditd with rules for setuid or setgid binaries on >> the system. >> >> I currently maintain the list via find, and pushing the results to a >> audit.rules file. >> >> I'm hoping there's a cleaner way, perhaps by triggering on the >> appropriate syscall -- but have not discovered it. >> >> Is there an easier method? > The find method is what I use (though I push it to a file in rules.d and > then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using > find to generate these rules is actually in the text of, IIRC, at least > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as > automated as the way I do it. > > --Ray > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: perhaps obvious question: auditd and setuid/setgid? 2015-09-04 14:54 ` John Jasen @ 2015-09-04 16:20 ` Steve Grubb 2015-09-04 17:36 ` John Jasen 0 siblings, 1 reply; 5+ messages in thread From: Steve Grubb @ 2015-09-04 16:20 UTC (permalink / raw) To: linux-audit On Friday, September 04, 2015 10:54:47 AM John Jasen wrote: > I was specifically wondering if I was missing the appropriate syscall > for the use of setuid or setgid. > >From a brief examination and test, this appears to not be the case? There are a couple ways to do this. One is using the find method. However, that does not take into account file system based capabilities. In the lab I taught this week, the rules generator also included this: filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x - F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules But, if all you want is setuid, then you can use a rule like this instead of file watches: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -Steve > On 09/02/2015 10:32 PM, rshaw1@umbc.edu wrote: > >> I'm currently testing auditd with rules for setuid or setgid binaries on > >> the system. > >> > >> I currently maintain the list via find, and pushing the results to a > >> audit.rules file. > >> > >> I'm hoping there's a cleaner way, perhaps by triggering on the > >> appropriate syscall -- but have not discovered it. > >> > >> Is there an easier method? > > > > The find method is what I use (though I push it to a file in rules.d and > > then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using > > find to generate these rules is actually in the text of, IIRC, at least > > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as > > automated as the way I do it. > > > > --Ray > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: perhaps obvious question: auditd and setuid/setgid? 2015-09-04 16:20 ` Steve Grubb @ 2015-09-04 17:36 ` John Jasen 0 siblings, 0 replies; 5+ messages in thread From: John Jasen @ 2015-09-04 17:36 UTC (permalink / raw) To: linux-audit On 09/04/2015 12:20 PM, Steve Grubb wrote: > On Friday, September 04, 2015 10:54:47 AM John Jasen wrote: >> I was specifically wondering if I was missing the appropriate syscall >> for the use of setuid or setgid. >> > >From a brief examination and test, this appears to not be the case? > > There are a couple ways to do this. One is using the find method. However, that > does not take into account file system based capabilities. In the lab I taught > this week, the rules generator also included this: <snipped> filecap examples to add LINUX_CAP executables to audit.rules. Huh .... I did not think of that. > But, if all you want is setuid, then you can use a rule like this instead of > file watches: > > -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 Perfect! Thanks. For future generations googling for answers, I did the following: -a always,exit -F arch=x86_64 -S execve -C uid!=euid -F key=execpriv -a always,exit -F arch=x86_64 -S execve -C gid!=egid -F key=execpriv I didn't pursue the last match, -F euid=0, as there may be cases where you wish to audit setuid usage, but the binary is not setuid to root. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-09-04 17:36 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-09-02 23:06 perhaps obvious question: auditd and setuid/setgid? John Jasen 2015-09-03 2:32 ` rshaw1 2015-09-04 14:54 ` John Jasen 2015-09-04 16:20 ` Steve Grubb 2015-09-04 17:36 ` John Jasen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).