Adding rules

Adding rules

[Steve]

I am attempting to create a c program that can add rules to the audit 
sub-system and monitor the resulting events.  I have read through the 
code in libaudit.h, audit.h, audit.c, and auditsc.c as well as several 
man pages pertaining to audit and extended searching of the web.

I am trying to add a rule using audit_add_rule() so audit will "watch" a 
file.  The first problem is that there doesn't seem to be an appropriate 
field under the "Rule Fields" section of audit.h.  The second is that 
the value must be an integer...

I have succeeded in adding the rule from the command-line using auditctl.

I would appreciate any help you can offer,
Steve

I am using: audit-1.2.3-1 and glibc-kernheaders-3.0-37

Re: Adding rules

[Steve Grubb]

On Wednesday 07 June 2006 14:30, Steve wrote:
> I am trying to add a rule using audit_add_rule() so audit will "watch" a
> file.  The first problem is that there doesn't seem to be an appropriate
> field under the "Rule Fields" section of audit.h.  The second is that
> the value must be an integer...

You need to be using the audit_rule_data structure. It allows strings to be 
added to it. For an example of setting up a watch, look at the code in 
auditctl.c. Look for audit_setup_watch_name(). You'll need to replicate the 
code in it. Then call audit_add_rule_data().

-Steve

adding rules

[Pittigher, Raymond - CS]

OK, I can not find any documentation on auditing and/or using auditctl besides the man pages so I need to use this list
server. We run servers that are on a classified network and require auditing so the nisbom rules are loaded in the
servers. This causes huge log files, and I mean 12GB huge, too much to parse information quickly.
The file is full on entries with such things as the Backup Exec program that generates these:

type=SYSCALL msg=audit(1246316460.238:30532639): arch=c000003e syscall=2 success=no exit=-13 a0=3aaad4e8e0 a1=0 a2=0
a3=1 items=1 ppid=1 pid=19748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="beremote" exe="/opt/VRTSralus/bin/beremote" subj=system_u:system_r:initrc_t:s0 key="open"
type=CWD msg=audit(1246316460.238:30532639):  cwd="/"
type=PATH msg=audit(1246316460.238:30532639): item=0 name="/tmp/filec5sswB" inode=17 dev=08:03 mode=060000 ouid=0 ogid=0
rdev=08:08 obj=system_u:object_r:tmp_t:s0

and also crond entries:
type=USER_ACCT msg=audit(1254500281.236:65937): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1254500281.240:65938): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_START msg=audit(1254500281.248:65939): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1254500281.310:65940): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_END msg=audit(1254500281.312:65941): user pid=17320 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

and also ntpd entries:
type=SYSCALL msg=audit(1222281403.726:1905): arch=40000003 syscall=124 success=yes exit=0 a0=9d6d60 a1=8 a2=9466f8
a3=9d6d60 items=0 ppid=1 pid=4897 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38
tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"

I have the ntp stuff under control by removing the 2 lines in the audit.rules file but the other 2 have thousands of
entries per day. How do I not log those in the rules? I notice that they both have selinux sub fields
(subj=system_u:system_r:crond_t) but a rule created with
auditctl -A exit,never -F subj_user=system_u -F subj_role=system_r -F subj_type=crond_t
or any variation of does nothing. What can I read that would lead me in the right direction?


This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

Re: adding rules

[Steve Grubb]

On Friday 16 October 2009 06:22:13 pm Pittigher, Raymond - CS wrote:
>  We run servers that are on a classified network and require auditing so the
>  nisbom rules are loaded in the servers. This causes huge log files, and I
>  mean 12GB huge, too much to parse information quickly. The file is full on
>  entries with such things as the Backup Exec program that generates these:

It would be helpful to know which kernel/audit versions you are using since 
there have been new options added over time.


> type=SYSCALL msg=audit(1246316460.238:30532639): arch=c000003e syscall=2
>  success=no exit=-13 a0=3aaad4e8e0 a1=0 a2=0 a3=1 items=1 ppid=1 pid=19748
>  auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>  tty=(none) ses=4294967295 comm="beremote"
>  exe="/opt/VRTSralus/bin/beremote" subj=system_u:system_r:initrc_t:s0
>  key="open" type=CWD msg=audit(1246316460.238:30532639):  cwd="/"
> type=PATH msg=audit(1246316460.238:30532639): item=0 name="/tmp/filec5sswB"
>  inode=17 dev=08:03 mode=060000 ouid=0 ogid=0 rdev=08:08
>  obj=system_u:object_r:tmp_t:s0

This looks like an open syscall failed with errno EACCES trying to open 
/tmp/filec5sswB. This would almost look like a real system problem. I would 
look into why beremote is not allowed to create tmp files.

But assuming that you wanted to do this with the audit system and you are on a 
somewhat recent kernel, you should be able to do something like:

-a exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k 
open

at the top of the open section so that it matches first. This will cause all 
opens that have a subject label of initrc_t to not record an event. The 
problem is that it will do this not just for beremote, but all apps that have 
initrc_t for a subject label. The fix for this is to make a policy for beremote 
so that it has a different label and then the audit rule will only be applied 
to beremote.


> and also crond entries:
> type=USER_ACCT msg=audit(1254500281.236:65937): user pid=17320 uid=0
>  auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
>  accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
>  terminal=cron res=success)'
> type=CRED_ACQ msg=audit(1254500281.240:65938): user pid=17320 uid=0
>  auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
>  setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
>  terminal=cron res=success)'
> type=USER_START msg=audit(1254500281.248:65939): user pid=17320 uid=0
>  auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session
>  open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
>  terminal=cron res=success)'
> type=CRED_DISP msg=audit(1254500281.310:65940): user pid=17320 uid=0 auid=0
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root"
>  : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
> type=USER_END msg=audit(1254500281.312:65941): user pid=17320 uid=0 auid=0
>  subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close
>  acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
>  res=success)'

There's no good way to stop cron events unless you make some selinux policy 
that prevents cron from opening the netlink socket to send an audit event. 
This could be don't audited so that you don't wind up with AVC's instead.


> and also ntpd entries:
> type=SYSCALL msg=audit(1222281403.726:1905): arch=40000003 syscall=124
>  success=yes exit=0 a0=9d6d60 a1=8 a2=9466f8 a3=9d6d60 items=0 ppid=1
>  pid=4897 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38
>  sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd"
>  exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
> 
> I have the ntp stuff under control by removing the 2 lines in the
>  audit.rules file but the other 2 have thousands of entries per day. How do
>  I not log those in the rules?

I would consider keeping the rule, but put something ahead of it that like 
this:

-a exit,never -F arch=b32 -S adjtimex  -F subj_type=ntpd_t

This is in case you time gets changed some other way during a security breach. 
It would cause the chain of events to not look right.


>  I notice that they both have selinux sub fields
>  (subj=system_u:system_r:crond_t) but a rule created with
> auditctl -A exit,never -F subj_user=system_u -F subj_role=system_r -F
>  subj_type=crond_t or any variation of does nothing. What can I read that
>  would lead me in the right direction?

you might want to look at:

http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp

Look at page 9. This shows where events come from and which filters they hit. 
The rule you mention above is written for the exit filter. The cron event comes 
from user space. It goes through the user filter, so that where the rule would 
need to be. The only valid fields for this filter is: uid, auid, gid, and  pid. 
So, there is not much there to help you.

The best approach for now is to use selinux to prevent crond_t from opening 
its socket. This might cause crond to have an error, or it might work out OK. 
I haven't tried it.
 
-Steve