STIG issue with auditctl -l

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* STIG issue with auditctl -l
@ 2014-11-20 15:42 leam hall
  2014-11-20 15:52 ` LC Bruzenak
  2014-11-20 16:10 ` Steve Grubb
  0 siblings, 2 replies; 6+ messages in thread
From: leam hall @ 2014-11-20 15:42 UTC (permalink / raw)
  To: linux-audit

The RHEL 6 STIG says:

  auditctl -l | grep syscall | grep chmod

Should return lines referring to chmod. Those lines are in my
audit.rules. Just doing an:

  auditctl -l | grep syscall

Returns nothing. I've got no issues telling the STIG folks how to do
their work, but wanted to make sure I know what I'm talking about
first.

Am I missing something if there's no "syscall" line(s) returned?

Thanks!

Leam

-- 
Mind on a Mission

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: STIG issue with auditctl -l
  2014-11-20 15:42 STIG issue with auditctl -l leam hall
@ 2014-11-20 15:52 ` LC Bruzenak
  2014-11-20 16:03   ` leam hall
  2014-11-20 16:10 ` Steve Grubb
  1 sibling, 1 reply; 6+ messages in thread
From: LC Bruzenak @ 2014-11-20 15:52 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 998 bytes --]

On 11/20/2014 09:42 AM, leam hall wrote:
> The RHEL 6 STIG says:
>
>   auditctl -l | grep syscall | grep chmod
>
> Should return lines referring to chmod. Those lines are in my
> audit.rules. Just doing an:
>
>   auditctl -l | grep syscall
>
> Returns nothing. I've got no issues telling the STIG folks how to do
> their work, but wanted to make sure I know what I'm talking about
> first.
>
> Am I missing something if there's no "syscall" line(s) returned?
>
> Thanks!
>
> Leam
>

The auditctl  command returns the rules loaded into the kernel.
Looks to me as if you might not have a running auditd or else your rules
were not all successfully loaded.
This can happen if there was an error inside the ruleset and you didn't
have the "-c" or "-i" flag set to continue loading the rules.
Check your syslog for any errors on startup; also just auditctl -l and
compare the loaded rules against your file.

HTH,
LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com



[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2193 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: STIG issue with auditctl -l
  2014-11-20 15:52 ` LC Bruzenak
@ 2014-11-20 16:03   ` leam hall
  0 siblings, 0 replies; 6+ messages in thread
From: leam hall @ 2014-11-20 16:03 UTC (permalink / raw)
  To: linux-audit

On Thu, Nov 20, 2014 at 10:52 AM, LC Bruzenak <lenny@magitekltd.com> wrote:
> On 11/20/2014 09:42 AM, leam hall wrote:
>> The RHEL 6 STIG says:
>>
>>   auditctl -l | grep syscall | grep chmod
>>
>> Should return lines referring to chmod. Those lines are in my
>> audit.rules. Just doing an:
>>
>>   auditctl -l | grep syscall
>>
>> Returns nothing. I've got no issues telling the STIG folks how to do
>> their work, but wanted to make sure I know what I'm talking about
>> first.
>>
>> Am I missing something if there's no "syscall" line(s) returned?
>>
>> Thanks!
>>
>> Leam
>>
>
> The auditctl  command returns the rules loaded into the kernel.
> Looks to me as if you might not have a running auditd or else your rules
> were not all successfully loaded.
> This can happen if there was an error inside the ruleset and you didn't
> have the "-c" or "-i" flag set to continue loading the rules.
> Check your syslog for any errors on startup; also just auditctl -l and
> compare the loaded rules against your file.
>
> HTH,
> LCB
>
> --
> LC (Lenny) Bruzenak
> lenny@magitekltd.com

Hmm... I played with chmod; removed fchmodat. The audit daemon says
it's running.

service auditd status
auditd (pid  609) is running...



Before the mod:

auditctl -l | grep chmod
-a always,exit -F arch=i386 -S chmod,fchmod,fchmodat -F key=perm_mod
-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod


After editing audit.rules and restarting auditd:

auditctl -l | grep chmod
-a always,exit -F arch=i386 -S chmod,fchmod -F key=perm_mod
-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod


Where's the best place to put debug flags?

Thanks!

Leam


-- 
Mind on a Mission

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: STIG issue with auditctl -l
  2014-11-20 15:42 STIG issue with auditctl -l leam hall
  2014-11-20 15:52 ` LC Bruzenak
@ 2014-11-20 16:10 ` Steve Grubb
  2014-11-20 16:56   ` leam hall
  1 sibling, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2014-11-20 16:10 UTC (permalink / raw)
  To: linux-audit

On Thursday, November 20, 2014 10:42:04 AM leam hall wrote:
> The RHEL 6 STIG says:
> 
>   auditctl -l | grep syscall | grep chmod

This is a forensics check of the system. A configuration scan should do

cat /etc/audit/audit.rules

> Should return lines referring to chmod. Those lines are in my
> audit.rules. Just doing an:
> 
>   auditctl -l | grep syscall

The format of the output changed. But the STIG is not right for mixing a 
forensics check with a configuration checks. If you really needed to do a check 
using auditctl, then use this:

auditctl -l | grep chmod

Just grep on the syscall and leave system out of it. You should have never 
needed it unless

-Steve

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: STIG issue with auditctl -l
  2014-11-20 16:10 ` Steve Grubb
@ 2014-11-20 16:56   ` leam hall
  2014-11-20 17:08     ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: leam hall @ 2014-11-20 16:56 UTC (permalink / raw)
  To: linux-audit

On Thu, Nov 20, 2014 at 11:10 AM, Steve Grubb <sgrubb@redhat.com> wrote:

 ...

> -Steve

Steve, as always I appreciate your fast response and awesome help! I'm
collating stuff to send up the chain.

Thanks!

Leam

-- 
Mind on a Mission

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: STIG issue with auditctl -l
  2014-11-20 16:56   ` leam hall
@ 2014-11-20 17:08     ` Steve Grubb
  0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2014-11-20 17:08 UTC (permalink / raw)
  To: linux-audit

On Thursday, November 20, 2014 11:56:50 AM leam hall wrote:
> Steve, as always I appreciate your fast response and awesome help! I'm
> collating stuff to send up the chain.

I discussed this a couple weeks back on the SCAP Security Guide mail list:

https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-October/006251.html

You might want to review that thread because I pointed out a couple more
mistakes that its making. Not to mention, if you have to STIG a box, wouldn't
you want to have a scanner to tell you that you are in compliance? SSG + 
openscap solves this problem in an open source way.

-Steve

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-11-20 17:08 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-20 15:42 STIG issue with auditctl -l leam hall
2014-11-20 15:52 ` LC Bruzenak
2014-11-20 16:03   ` leam hall
2014-11-20 16:10 ` Steve Grubb
2014-11-20 16:56   ` leam hall
2014-11-20 17:08     ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox