* auid=0 @ 2015-08-03 18:11 rshaw1 2015-08-03 18:21 ` auid=0 Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: rshaw1 @ 2015-08-03 18:11 UTC (permalink / raw) To: linux-audit Comparing the "official" STIG content with the scap-security-guide content, the former seems to have added corresponding rules for "-F auid=0" that aren't present in scap-security guide. i.e. where scap-security-guide will just have one rule: -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F auid!=4294967295 -k delete the official content will have the above plus: -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete Is the addition necessary? It doesn't seem to be, as the rules caught root usage of, for example, chmod just fine without it (I had used su; not sure if there's a difference between that and other ways of being root.) I would like to make sure I'm right before asking one group or the other to delete or add it, respectively. --Ray ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auid=0 2015-08-03 18:11 auid=0 rshaw1 @ 2015-08-03 18:21 ` Steve Grubb 2015-08-03 18:53 ` auid=0 rshaw1 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2015-08-03 18:21 UTC (permalink / raw) To: linux-audit On Monday, August 03, 2015 02:11:31 PM rshaw1@umbc.edu wrote: > Comparing the "official" STIG content with the scap-security-guide > content, the former seems to have added corresponding rules for "-F > auid=0" that aren't present in scap-security guide. i.e. where > scap-security-guide will just have one rule: > > -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F > auid!=4294967295 -k delete > > the official content will have the above plus: > > -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete > > Is the addition necessary? Does the official STIG allow root logins? If so, I think that is a big mistake and should be fixed. If it does not allow root logins, then the only way I can think of having auid to be 0 is for root cron jobs. > It doesn't seem to be, as the rules caught root usage of, for example, chmod > just fine without it (I had used su; not sure if there's a difference between > that and other ways of being root.) I would like to make sure I'm right > before asking one group or the other to delete or add it, respectively. Perhaps they consider root cronjobs to be an attack vector? -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auid=0 2015-08-03 18:21 ` auid=0 Steve Grubb @ 2015-08-03 18:53 ` rshaw1 2015-08-03 19:06 ` auid=0 Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: rshaw1 @ 2015-08-03 18:53 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit > On Monday, August 03, 2015 02:11:31 PM rshaw1@umbc.edu wrote: >> Comparing the "official" STIG content with the scap-security-guide >> content, the former seems to have added corresponding rules for "-F >> auid=0" that aren't present in scap-security guide. i.e. where >> scap-security-guide will just have one rule: >> >> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F >> auid!=4294967295 -k delete >> >> the official content will have the above plus: >> >> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete >> >> Is the addition necessary? > > Does the official STIG allow root logins? If so, I think that is a big > mistake > and should be fixed. If it does not allow root logins, then the only way > I can > think of having auid to be 0 is for root cron jobs. It doesn't, but that doesn't mean they don't love to layer the hell out of things. >> It doesn't seem to be, as the rules caught root usage of, for example, >> chmod >> just fine without it (I had used su; not sure if there's a difference >> between >> that and other ways of being root.) I would like to make sure I'm right >> before asking one group or the other to delete or add it, respectively. > > Perhaps they consider root cronjobs to be an attack vector? Perhaps. What about exploiting a daemon that runs as root? Would cron be the only one to show up as auid=0? I know there is some sort of thing that happens where the daemon will inherit the <somthing>uid of anyone who restarts it, but I'm not sure what it would start as at boot. I'm hoping to not have to nearly double the amount of rules, but I'm guessing it doesn't work to have auid >=500, !=4294967295, and =0 in the same rule (when I tried it, it seemed to stop catching chmod altogether). --Ray ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auid=0 2015-08-03 18:53 ` auid=0 rshaw1 @ 2015-08-03 19:06 ` Steve Grubb 0 siblings, 0 replies; 4+ messages in thread From: Steve Grubb @ 2015-08-03 19:06 UTC (permalink / raw) To: rshaw1; +Cc: linux-audit On Monday, August 03, 2015 02:53:52 PM rshaw1@umbc.edu wrote: > > On Monday, August 03, 2015 02:11:31 PM rshaw1@umbc.edu wrote: > >> Comparing the "official" STIG content with the scap-security-guide > >> content, the former seems to have added corresponding rules for "-F > >> auid=0" that aren't present in scap-security guide. i.e. where > >> scap-security-guide will just have one rule: > >> > >> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F > >> auid!=4294967295 -k delete > >> > >> the official content will have the above plus: > >> > >> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete > >> > >> Is the addition necessary? > > > > Does the official STIG allow root logins? If so, I think that is a big > > mistake > > and should be fixed. If it does not allow root logins, then the only way > > I can > > think of having auid to be 0 is for root cron jobs. > > It doesn't, but that doesn't mean they don't love to layer the hell out of > things. I wouldn't expect root cron jobs to be a threat. But if they are worried about insider threats, then there should be a bunch of other new rules that use the inter-object comparator. > >> It doesn't seem to be, as the rules caught root usage of, for example, > >> chmod > >> just fine without it (I had used su; not sure if there's a difference > >> between > >> that and other ways of being root.) I would like to make sure I'm right > >> before asking one group or the other to delete or add it, respectively. > > > > Perhaps they consider root cronjobs to be an attack vector? > > Perhaps. What about exploiting a daemon that runs as root? Daemons have auid set to -1. To get auid to be anything other than -1, the loginuid has to be set. That is typically done by pam_loginuid.so. > Would cron be the only one to show up as auid=0? Yes, because cron calls pam_loginuid to setup the user session. Atd would also do this, but I think the code is now based off the same executable. > I know there is some sort of thing that happens where the daemon will > inherit the <somthing>uid of anyone who restarts it, but I'm not sure what > it would start as at boot. > > I'm hoping to not have to nearly double the amount of rules, but I'm > guessing it doesn't work to have auid >=500, !=4294967295, and =0 in the > same rule (when I tried it, it seemed to stop catching chmod altogether). Everything in a rule forms an "and" expression. So, auid>=500 && auid=0 is logically false. -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-08-03 19:06 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-08-03 18:11 auid=0 rshaw1 2015-08-03 18:21 ` auid=0 Steve Grubb 2015-08-03 18:53 ` auid=0 rshaw1 2015-08-03 19:06 ` auid=0 Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).