* STIG issue with auditctl -l @ 2014-11-20 15:42 leam hall 2014-11-20 15:52 ` LC Bruzenak 2014-11-20 16:10 ` Steve Grubb 0 siblings, 2 replies; 6+ messages in thread From: leam hall @ 2014-11-20 15:42 UTC (permalink / raw) To: linux-audit The RHEL 6 STIG says: auditctl -l | grep syscall | grep chmod Should return lines referring to chmod. Those lines are in my audit.rules. Just doing an: auditctl -l | grep syscall Returns nothing. I've got no issues telling the STIG folks how to do their work, but wanted to make sure I know what I'm talking about first. Am I missing something if there's no "syscall" line(s) returned? Thanks! Leam -- Mind on a Mission ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: STIG issue with auditctl -l 2014-11-20 15:42 STIG issue with auditctl -l leam hall @ 2014-11-20 15:52 ` LC Bruzenak 2014-11-20 16:03 ` leam hall 2014-11-20 16:10 ` Steve Grubb 1 sibling, 1 reply; 6+ messages in thread From: LC Bruzenak @ 2014-11-20 15:52 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 998 bytes --] On 11/20/2014 09:42 AM, leam hall wrote: > The RHEL 6 STIG says: > > auditctl -l | grep syscall | grep chmod > > Should return lines referring to chmod. Those lines are in my > audit.rules. Just doing an: > > auditctl -l | grep syscall > > Returns nothing. I've got no issues telling the STIG folks how to do > their work, but wanted to make sure I know what I'm talking about > first. > > Am I missing something if there's no "syscall" line(s) returned? > > Thanks! > > Leam > The auditctl command returns the rules loaded into the kernel. Looks to me as if you might not have a running auditd or else your rules were not all successfully loaded. This can happen if there was an error inside the ruleset and you didn't have the "-c" or "-i" flag set to continue loading the rules. Check your syslog for any errors on startup; also just auditctl -l and compare the loaded rules against your file. HTH, LCB -- LC (Lenny) Bruzenak lenny@magitekltd.com [-- Attachment #1.2: S/MIME Cryptographic Signature --] [-- Type: application/pkcs7-signature, Size: 2193 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: STIG issue with auditctl -l 2014-11-20 15:52 ` LC Bruzenak @ 2014-11-20 16:03 ` leam hall 0 siblings, 0 replies; 6+ messages in thread From: leam hall @ 2014-11-20 16:03 UTC (permalink / raw) To: linux-audit On Thu, Nov 20, 2014 at 10:52 AM, LC Bruzenak <lenny@magitekltd.com> wrote: > On 11/20/2014 09:42 AM, leam hall wrote: >> The RHEL 6 STIG says: >> >> auditctl -l | grep syscall | grep chmod >> >> Should return lines referring to chmod. Those lines are in my >> audit.rules. Just doing an: >> >> auditctl -l | grep syscall >> >> Returns nothing. I've got no issues telling the STIG folks how to do >> their work, but wanted to make sure I know what I'm talking about >> first. >> >> Am I missing something if there's no "syscall" line(s) returned? >> >> Thanks! >> >> Leam >> > > The auditctl command returns the rules loaded into the kernel. > Looks to me as if you might not have a running auditd or else your rules > were not all successfully loaded. > This can happen if there was an error inside the ruleset and you didn't > have the "-c" or "-i" flag set to continue loading the rules. > Check your syslog for any errors on startup; also just auditctl -l and > compare the loaded rules against your file. > > HTH, > LCB > > -- > LC (Lenny) Bruzenak > lenny@magitekltd.com Hmm... I played with chmod; removed fchmodat. The audit daemon says it's running. service auditd status auditd (pid 609) is running... Before the mod: auditctl -l | grep chmod -a always,exit -F arch=i386 -S chmod,fchmod,fchmodat -F key=perm_mod -a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod After editing audit.rules and restarting auditd: auditctl -l | grep chmod -a always,exit -F arch=i386 -S chmod,fchmod -F key=perm_mod -a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=perm_mod Where's the best place to put debug flags? Thanks! Leam -- Mind on a Mission ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: STIG issue with auditctl -l 2014-11-20 15:42 STIG issue with auditctl -l leam hall 2014-11-20 15:52 ` LC Bruzenak @ 2014-11-20 16:10 ` Steve Grubb 2014-11-20 16:56 ` leam hall 1 sibling, 1 reply; 6+ messages in thread From: Steve Grubb @ 2014-11-20 16:10 UTC (permalink / raw) To: linux-audit On Thursday, November 20, 2014 10:42:04 AM leam hall wrote: > The RHEL 6 STIG says: > > auditctl -l | grep syscall | grep chmod This is a forensics check of the system. A configuration scan should do cat /etc/audit/audit.rules > Should return lines referring to chmod. Those lines are in my > audit.rules. Just doing an: > > auditctl -l | grep syscall The format of the output changed. But the STIG is not right for mixing a forensics check with a configuration checks. If you really needed to do a check using auditctl, then use this: auditctl -l | grep chmod Just grep on the syscall and leave system out of it. You should have never needed it unless -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: STIG issue with auditctl -l 2014-11-20 16:10 ` Steve Grubb @ 2014-11-20 16:56 ` leam hall 2014-11-20 17:08 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: leam hall @ 2014-11-20 16:56 UTC (permalink / raw) To: linux-audit On Thu, Nov 20, 2014 at 11:10 AM, Steve Grubb <sgrubb@redhat.com> wrote: ... > -Steve Steve, as always I appreciate your fast response and awesome help! I'm collating stuff to send up the chain. Thanks! Leam -- Mind on a Mission ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: STIG issue with auditctl -l 2014-11-20 16:56 ` leam hall @ 2014-11-20 17:08 ` Steve Grubb 0 siblings, 0 replies; 6+ messages in thread From: Steve Grubb @ 2014-11-20 17:08 UTC (permalink / raw) To: linux-audit On Thursday, November 20, 2014 11:56:50 AM leam hall wrote: > Steve, as always I appreciate your fast response and awesome help! I'm > collating stuff to send up the chain. I discussed this a couple weeks back on the SCAP Security Guide mail list: https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-October/006251.html You might want to review that thread because I pointed out a couple more mistakes that its making. Not to mention, if you have to STIG a box, wouldn't you want to have a scanner to tell you that you are in compliance? SSG + openscap solves this problem in an open source way. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-11-20 17:08 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-11-20 15:42 STIG issue with auditctl -l leam hall 2014-11-20 15:52 ` LC Bruzenak 2014-11-20 16:03 ` leam hall 2014-11-20 16:10 ` Steve Grubb 2014-11-20 16:56 ` leam hall 2014-11-20 17:08 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox