Re: AuditRule Questions

Re: AuditRule Questions

[Steve Grubb]

On Tuesday, January 19, 2021 8:15:33 AM EST Joe Wulf wrote:
> 1. In audit rules 2.8.5 (front portion of the rules):
> 
> ## Unsuccessful file access (any other opens) This has to go last.
> -a always,exit -F arch=b32 -S
> open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES-a
> always,exit -F arch=b64 -S
> open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES-a
> always,exit -F arch=b32 -S
> open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM-a
> always,exit -F arch=b64 -S
> open,creat,truncate,ftruncate,openat,open_by_handle_at  -F exit=-EPERM
> Whereas in audit rules 3.0, the same portion of the same rules looks like:
> -a always,exit -F arch=b32 -S
> open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES-a
> always,exit -F arch=b32 -S
> open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM-a
> always,exit -F arch=b64 -S
> open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES-a
> always,exit -F arch=b64 -S
> open,truncate,ftruncate,creat,openat,open_by_handle_at  -F exit=-EPERM
> 
> The ordering of the syscalls differs between the two, as well as the
> sequential order of the rules themselves. I better understand that the
> first audit-rule matched 'wins'.-  Please help me understand the reason
> for the change in sequence, but also for the change in the order of the
> syscalls (i.e. between 2.8.5 and 3.0).

There were several 3.0 alpha releases. I'm not sure which one you are calling 
3.0. Because I can't find an exact match. Based on the text above, I do not 
see the syscall ordering changed at all. The only thing that I see is in 
2.8.5 they are grouped by exit code whereas 3.0 is grouped by arch. Since 
this group of rules all have the same key, they are working as a team. That 
means that what matters is the placement of this group of rules relative to 
other groups of rules is what matters. In both cases a syscall can ever only 
match one of them - the exit code either is or isn't EPERM, it either is or 
isn't b32.


> 2.  I notice there are many rules across the entire set (both 2.8.5 and
> 3.0) that define their key with "-F key=<name>", and others simply with
> "-k <name>".-  Why are their two methods for KEY naming, and does one have
> a distinct meaning, or precedence, over the other?

This is explained in the audit.rules man page in the discussion about 
watches. Way back in 2005, there was the idea of filesystem watches. The 
syntax for them was

-w path-to-file -p permissions -k keyname

The initial implementation was found to have some limits and it was rewritten 
around 2006 around a new syscall API. The old syscall API was deprecated, 
too. This new syscall API was capable of handling pathes. So, that means the 
following is equivalent to the above

-a always,exit -F path=path-to-file -F perm=permissions -F key=keyname

But to preserve backwards compatibility, auditctl translates the first form 
into the second under the covers. You cannot mix the two notations in the 
same rule or auditctl will reject it.

> Are their some 'rule' types where '-k' is appropriate, whereas '-F key=" is
> not, thus they are not truly 100% interchangeable?

Hopefully above makes this clear.

> -  If both methods ARE equivalent
> throughout ALL of the audit.rules content, would it be reasonable to
> standardize on one method in v3.0.x of your rules going forward?

It appears that all rules have been standardized around the syscall method 
except for the nispom and stig rules which are no longer preferred. I suppose 
at some point I should just drop nispom since no one has asked about meeting 
it in 12 or 13 years. At this point, the ospp rules are the recommended rule 
set.

 
> 3.  For a RHEL 7.x (and even 8.x) system where the hardware is x86_64 and
> there is no reasonable expectation to install or operate 'ANY' 32bit
> software, is there any value, or system performance penalty, to totally
> eliminating all 'b32' rules?

You could. But then I'd add  "21-no32bit.rules"  to detect if something tries 
to use it to evade detection. The 32 bit ABI is available even on 64 bit 
systems.


> 4.  On the grub/kernel commandline, I can add:  'audit=1' -and-
> 'audit_backlog_limit=####'.  I looked for solutions to address the issue I
> was having, and found one here: 
> https://access.redhat.com/solutions/19327; I found another somewhat
> helpful reference here: 
> https://blog.siphos.be/2015/05/audit-buffering-and-rate-limiting; though
> it doesn't make good recommendations for the kernel parameter sizing (if
> that is a good thing to do in RHEL 7/RHEL 8). -  Is there good relevance
> in RHEL 7, or RHEL 8 to adding this option to the grub/kernel
> commandline?-  Is there an upper-limit in setting the number? -  What is
> the correlation of this grub/kernel item, to the '-b ####' rule in
> /etc/audit/rules.d/audit.rules?  Are they (or should they be treated as)
> mutually exclusive? -  In the 2nd reference, what process do you suggest
> for me to determine optimal values for 'kernel.printk_ratelimit'  -and - 
> 'kernel.printk_ratelimit_burst', as well as for grub/kernel
> 'audit_backlog_limit=####' and audit.rules '-b ####'? -  This link also
> seems relevant to the sysctl param's valuations: 
> https://topic.alibabacloud.com/a/linux-system-log-__ratelimitn-callbacks-s
> uppressed_1_16_30164105.html-  Does values for 'kernel.printk_ratelimit =
> 1';   -and-   'kernel.printk_ratelimit_burst = 1024' seem reasonable?

I covered this topic here:

http://security-plus-data-science.blogspot.com/2017/05/a-suggested-change-for-rhel-7-disa-stig.html

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: AuditRule Questions

[Steve Grubb]

On Tuesday, January 19, 2021 1:11:56 PM EST Joe Wulf wrote:
>  Steve,
> 
> On Tuesday, January 19, 2021, 11:57:03 AM EST, Steve Grubb 
<sgrubb@redhat.com> wrote:
>  > On Tuesday, January 19, 2021 8:15:33 AM EST Joe Wulf wrote:
> > > 1. In audit rules 2.8.5 (front portion of the rules):> > > > ##
> > > Unsuccessful file access (any other opens) This has to go last.> > -a
> > > always,exit -F arch=b32 -S> >
> > > open,creat,truncate,ftruncate,openat,open_by_handle_at -F
> > > exit=-EACCES-a> > always,exit -F arch=b64 -S> >
> > > open,creat,truncate,ftruncate,openat,open_by_handle_at -F
> > > exit=-EACCES-a> > always,exit -F arch=b32 -S> >
> > > open,creat,truncate,ftruncate,openat,open_by_handle_at -F
> > > exit=-EPERM-a> > always,exit -F arch=b64 -S> >
> > > open,creat,truncate,ftruncate,openat,open_by_handle_at  -F
> > > exit=-EPERM> > Whereas in audit rules 3.0, the same portion of the
> > > same rules looks like:> > -a always,exit -F arch=b32 -S> >
> > > open,creat,truncate,ftruncate,openat,open_by_handle_at -F
> > > exit=-EACCES-a> > always,exit -F arch=b32 -S> >
> > > open,creat,truncate,ftruncate,openat,open_by_handle_at -F
> > > exit=-EPERM-a> > always,exit -F arch=b64 -S> >
> > > open,truncate,ftruncate,creat,openat,open_by_handle_at -F
> > > exit=-EACCES-a> > always,exit -F arch=b64 -S> >
> > > open,truncate,ftruncate,creat,openat,open_by_handle_at  -F
> > > exit=-EPERM> > > > The ordering of the syscalls differs between the
> > > two, as well as the> > sequential order of the rules themselves. I
> > > better understand that the> > first audit-rule matched 'wins'.- 
> > > Please help me understand the reason> > for the change in sequence,
> > > but also for the change in the order of the> > syscalls (i.e. between
> > > 2.8.5 and 3.0).> > There were several 3.0 alpha releases. I'm not sure
> > > which one you are calling > 3.0. Because I can't find an exact match.
> > > Based on the text above, I do not > see the syscall ordering changed
> > > at all. The only thing that I see is in > 2.8.5 they are grouped by
> > > exit code whereas 3.0 is grouped by arch. Since > this group of rules
> > > all have the same key, they are working as a team. That > means that
> > > what matters is the placement of this group of rules relative to >
> > > other groups of rules is what matters. In both cases a syscall can
> > > ever only > match one of them - the exit code either is or isn't
> > > EPERM, it either is or > isn't b32.>> 
> > <snip>>
> > -Steve
> 
> Steve,
> Thank you for the wealth of feedback.  All very useful.  Thank you.
> I pulled v3.0 of the audit rules out of RHEL 8.3.
> In the sections I referenced, for v2.8.5 the syscalls for b64 are in the
> order of:open,create,truncate,ftruncate ..... in v3.0, they are in the
> order of:open,truncate,ftruncate,create .... Since, as you say above, the
> audit rule can only ever match one syscal.... I'm now understanding the
> actual order of the syscall's is no longer relevant on such lines (from an
> auditing perspective)? 

In the kernel, the syscalls in each rule go into a large bitmask so that all 
can be checked quickly. Ordering within a rule doesn't matter for syscalls. 
Otherwise, fields are checked sequentially from left to right. So, things that 
may be false most of the time should be located more to the left for better 
performance.

> In general for a any given system being run and
> audited by either set of rules, the end result I suspect would be the
> same.The challenge could come in when certain vulnerability tools assess
> the system, and do so by seeking an exact match of rule syntax.

That is a challenge. That is what drove splitting up the ospp rules into 
individual files.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit