* Question on the unset user in audit @ 2013-11-05 11:19 Burn Alting 2013-11-05 12:51 ` Steve Grubb 0 siblings, 1 reply; 3+ messages in thread From: Burn Alting @ 2013-11-05 11:19 UTC (permalink / raw) To: linux-audit All, I have seen some audit.rules that ignore ALL events involving auid being the unset user ie a rule segment of -F auid!=4294967295 What are the possible risks of excluding recording events from the unset auid? Especially since I believe root could override the auid by writing to /proc/self/loginuid. Rgds ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question on the unset user in audit 2013-11-05 11:19 Question on the unset user in audit Burn Alting @ 2013-11-05 12:51 ` Steve Grubb 2013-11-05 13:07 ` Burn Alting 0 siblings, 1 reply; 3+ messages in thread From: Steve Grubb @ 2013-11-05 12:51 UTC (permalink / raw) To: linux-audit, burn On Tuesday, November 05, 2013 10:19:23 PM Burn Alting wrote: > All, > > I have seen some audit.rules that ignore ALL events involving auid being > the unset user ie a rule segment of > > -F auid!=4294967295 > > What are the possible risks of excluding recording events from the unset > auid? Especially since I believe root could override the auid by writing > to /proc/self/loginuid. In talking with agencies like DISA, what they wanted is to identify events originating from users as opposed to normal "system" activities. Meaning that if during startup disks are mounted, its an uninteresting event because its normal startup activity. However, if there is an associated auid >= 500, then its user originating and of interest. Should an admin change their auid, there will be an audit event recording that fact. That said, Linux is not designed in any way to guard against a malicious admin. One of the assumptions in Common Criteria is A.NO_EVIL_ADMIN and there are training clauses. But there are some steps that can be taken. On newer kernels there is the object comparator commands '-C' where you can detect abuses of power such as an admin accessing a user's home directory. If you are really wanting to use the audit system to even detect signs of compromise, then you can to some extent. You can see apps crashing, you can imagine SE Linux as a defined behavior of applications so that AVC's represent attempts at intrusion, you can also see other attempted changes to the system such as installing executables. But I think at some point the system may be compromised to the point that you can't detect it from the host, you have to have external monitoring and look for suspicious behavior outside the system. Not sure if that was the direction you were going with your question. :-) -Steve ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Question on the unset user in audit 2013-11-05 12:51 ` Steve Grubb @ 2013-11-05 13:07 ` Burn Alting 0 siblings, 0 replies; 3+ messages in thread From: Burn Alting @ 2013-11-05 13:07 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit Steve, Thanks for the answer. In essence, one can ignore the unset user depending on one's appetite for risk and by taking a holistic approach to monitoring activity in a complete ICT environment. Rgds On Tue, 2013-11-05 at 07:51 -0500, Steve Grubb wrote: > On Tuesday, November 05, 2013 10:19:23 PM Burn Alting wrote: > > All, > > > > I have seen some audit.rules that ignore ALL events involving auid being > > the unset user ie a rule segment of > > > > -F auid!=4294967295 > > > > What are the possible risks of excluding recording events from the unset > > auid? Especially since I believe root could override the auid by writing > > to /proc/self/loginuid. > > In talking with agencies like DISA, what they wanted is to identify events > originating from users as opposed to normal "system" activities. Meaning that > if during startup disks are mounted, its an uninteresting event because its > normal startup activity. However, if there is an associated auid >= 500, then > its user originating and of interest. > > Should an admin change their auid, there will be an audit event recording that > fact. That said, Linux is not designed in any way to guard against a malicious > admin. One of the assumptions in Common Criteria is A.NO_EVIL_ADMIN and there > are training clauses. But there are some steps that can be taken. On newer > kernels there is the object comparator commands '-C' where you can detect > abuses of power such as an admin accessing a user's home directory. > > If you are really wanting to use the audit system to even detect signs of > compromise, then you can to some extent. You can see apps crashing, you can > imagine SE Linux as a defined behavior of applications so that AVC's represent > attempts at intrusion, you can also see other attempted changes to the system > such as installing executables. But I think at some point the system may be > compromised to the point that you can't detect it from the host, you have to > have external monitoring and look for suspicious behavior outside the system. > > Not sure if that was the direction you were going with your question. :-) > > -Steve > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-11-05 13:07 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-11-05 11:19 Question on the unset user in audit Burn Alting 2013-11-05 12:51 ` Steve Grubb 2013-11-05 13:07 ` Burn Alting
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox