Re: auditing activity where uid==0

[Trevor Vaughan <peiriannydd@gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 
> -a entry,always -S execve -F euid=0 -F auid>=500 -F auid!=4294967295

Be aware that this rule does grab the nfsnobody user, which has a uid > 500.

> 
> The loginuid is only set for real logins. But if they issue "service httpd 
> restart", then apache has their loginuid, too, and you will start getting 
> apache events.

Yes, and this is quite painful.

> 
>> I'm getting lots of extraneous chatter from sshd, automount, and cron, all
>> of which are from tty=(none), but I'm not sure it's possible to filter on
>> tty...

It's not as far as I could find, though this would be an awesome
feature.  Basically, the ability to say, tty!=none.

> 
> The way that we suggest auditing the actions of a root user is by using the 
> tty audit capability. This is a little more specific about what is really 
> happening. For example, someone could start a python shell and start issuing 
> commands. If you audit by execve, then all you see is python start up and then 
> you see nothing else. Also, bash can do networking. Its possible to transfer 
> files using bash primitives that you won't pick up by auditing execve syscalls. 
> Awk is also network aware...


One thing to note about the tty audit capability is that it is a forward
processing logger, not an echo logger.  This means that it *will*
capture passwords that you type in at the command line even if they are
not echoed.

You may want to look at something like sudosh or the like which are echo
loggers and will not collect anything that is hidden from the terminal.
 This presents it's own problems, but at least won't grab sensitive
passwords in general.

Trevor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksY7boACgkQyjMdFR1108BQxQCeNnLC/430OiNSHVZVhU2GdJ6h
BEwAn34K52cRhSZsDQ1PpFbtqP1tnqwa
=7MfW
-----END PGP SIGNATURE-----