trouble with a number of audit rules

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* trouble with a number of audit rules
@ 2007-01-29 21:57 Bill Tangren
  2007-01-29 22:15 ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Bill Tangren @ 2007-01-29 21:57 UTC (permalink / raw)
  To: linux-audit

Hello all,

I am trying to add the following functionality to auditd (via audit.rules) using 
the following rules, but the rules don't work on my RHEL ES 4 system (fully 
patched). Could someone look at them and tell me what I am doing wrong, or where 
I can read how to do it right?

1)
# Ensures that any reads of the audit log by the current user that's logged is
# audited. It might be beneficial to create a rule for each of the 5 logs
# that are generated.

RULE:
-w /var/log/audit/audit.log -p r -F auid=-1

ERROR:
List must be given before field

2)
# Ensures that any user who mounts or unmounts a device is audited

RULE:
-a exit,always -S mount -S umount

ERROR:
Syscall name unknown: umount

3)
# ensures auditing whenever the reboot command is sent to the kernel

RULE:
-a always,entry -S socketcall -F a0=13

ERROR:
Syscall name unknown: socketcall

4)
# Ensures auditing of any unauthorized access to roots home directory.

RULE:
-w /root -p rw -F uid!=0

ERROR:
List must be given before field

5)
#Ensure that failed use of the following system calls is audited

RULE:
-a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0 -F 
auid=-1 -F auid=0

ERROR:
Syscall name unknown: stime

TIA,

Bill Tangren

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: trouble with a number of audit rules
  2007-01-29 21:57 trouble with a number of audit rules Bill Tangren
@ 2007-01-29 22:15 ` Steve Grubb
  2007-01-29 22:33   ` Bill Tangren
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2007-01-29 22:15 UTC (permalink / raw)
  To: linux-audit

On Monday 29 January 2007 16:57, Bill Tangren wrote:
> 1)
> # Ensures that any reads of the audit log by the current user that's logged
> is # audited. It might be beneficial to create a rule for each of the 5
> logs # that are generated.
>
> RULE:
> -w /var/log/audit/audit.log -p r -F auid=-1

On RHEL4, syscall auditing and file system auditing cannot be mixed on the 
same line. Watches can only take -p & -k parameters.

> 2)
> # Ensures that any user who mounts or unmounts a device is audited
>
> RULE:
> -a exit,always -S mount -S umount

Are you on x86_64? If so, you should use umount2. I believe this is documented 
in capp.rules.

> 3)
> # ensures auditing whenever the reboot command is sent to the kernel
>
> RULE:
> -a always,entry -S socketcall -F a0=13

x86_64? If so use the syscall, shutdown. (offhand, I don't know why you would 
need to audit shutdown.)

> 4)
> # Ensures auditing of any unauthorized access to roots home directory.
>
> RULE:
> -w /root -p rw -F uid!=0

see #1 above

> 5)
> #Ensure that failed use of the following system calls is audited
>
> RULE:
> -a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0
> -F auid=-1 -F auid=0

stime is valid on i386. maybe settimeofday?

-Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: trouble with a number of audit rules
  2007-01-29 22:15 ` Steve Grubb
@ 2007-01-29 22:33   ` Bill Tangren
  0 siblings, 0 replies; 3+ messages in thread
From: Bill Tangren @ 2007-01-29 22:33 UTC (permalink / raw)
  To: linux-audit

Steve Grubb wrote:
> On Monday 29 January 2007 16:57, Bill Tangren wrote:
>> 1)
>> # Ensures that any reads of the audit log by the current user that's logged
>> is # audited. It might be beneficial to create a rule for each of the 5
>> logs # that are generated.
>>
>> RULE:
>> -w /var/log/audit/audit.log -p r -F auid=-1

This is in the capp.rules too.

> 
> On RHEL4, syscall auditing and file system auditing cannot be mixed on the 
> same line. Watches can only take -p & -k parameters.
> 
>> 2)
>> # Ensures that any user who mounts or unmounts a device is audited
>>
>> RULE:
>> -a exit,always -S mount -S umount
> 
> Are you on x86_64? If so, you should use umount2. I believe this is documented 
> in capp.rules.

Yes, x86_64. I missed this one in capp.rules. Damn.

> 
>> 3)
>> # ensures auditing whenever the reboot command is sent to the kernel
>>
>> RULE:
>> -a always,entry -S socketcall -F a0=13
> 
> x86_64? If so use the syscall, shutdown. (offhand, I don't know why you would 
> need to audit shutdown.)
> 
>> 4)
>> # Ensures auditing of any unauthorized access to roots home directory.
>>
>> RULE:
>> -w /root -p rw -F uid!=0

I'll have to think some more about how to do this one.

> 
> see #1 above
> 
>> 5)
>> #Ensure that failed use of the following system calls is audited
>>
>> RULE:
>> -a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0
>> -F auid=-1 -F auid=0
> 
> stime is valid on i386. maybe settimeofday?

Yes, settimeofday worked.

> 
> -Steve
> 

Thanks, Steve.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2007-01-29 22:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-29 21:57 trouble with a number of audit rules Bill Tangren
2007-01-29 22:15 ` Steve Grubb
2007-01-29 22:33   ` Bill Tangren

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox