Captured system calls that should be filtered out

* Captured system calls that should be filtered out
@ 2012-01-20 16:27 Kaplan, Eric D (IS)
  2012-01-20 16:49 ` Marcelo Cerri
  0 siblings, 1 reply; 2+ messages in thread
From: Kaplan, Eric D (IS) @ 2012-01-20 16:27 UTC (permalink / raw)
  To: linux-audit@redhat.com

[-- Attachment #1.1: Type: text/plain, Size: 1548 bytes --]

I am trying to implement STIG rules for our system.  I modified Steve Grubbs' stig.rules for my audit.rules file.  Included
was the rule

-a exit,always -F arch=b64 -S chmod -S fchmod -F auid>=500 -F auid!=4294967296 -k perm_mod

which I understand should exempt root and unset processes from having these system calls captured.  Yet
in our audit.logs there was a torrent of records of the sort

type=SYSCALL msg=audit(1326897520.970:2005250): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=1 a1=100 a2=0 a3=7fff21800870 items=1 ppid=3536 pid=20965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="time_adjust.ksh" exe="/bin/ksh93" key="perm_mod"
type=PATH msg=audit(1326897520.970:2005250): item=0 name=(null) inode=25631356 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00

and

type=SYSCALL msg=audit(1326897480.144:2005238): arch=c000003e syscall=91 per=400000 success=yes exit=0 a0=5 a1=100 a2=0 a3=7fffa8f157d0 items=1 ppid=20707 pid=20726 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="find_client_sta" exe="/bin/ksh93" key="perm_mod"
type=PATH msg=audit(1326897480.144:2005238): item=0 name=(null) inode=25630808 dev=00:05 mode=0140777 ouid=0 ogid=0 rdev=00:00

I need to get rid of them to make annalysis possible and to avoid soaking up disk space.

find_client_status.ksh and time_adjust.ksh are both scripts that are spawned by a daemon running as root.

I attach my version of audit.rules.

[-- Attachment #1.2: Type: text/html, Size: 2327 bytes --]

[-- Attachment #2: audit_rules --]
[-- Type: application/octet-stream, Size: 8146 bytes --]

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
## Set failure mode to panic
-f 2

## NOTE:
## 1) if this is being used on a 32 bit machine, comment out the b64 lines
## 2) These rules assume that login under the root account is not allowed.
## 3) It is also assumed that 500 represents the first usable user account.
## 4) If these rules generate too much spurious data for your tastes, limit the
## the syscall file rules with a directory, like -F dir=/etc
## 5) You can search for the results on the key fields in the rules
##
##
## (GEN002880: CAT II) The IAO will ensure the auditing software can
## record the following for each audit event: 
##- Date and time of the event 
##- Userid that initiated the event 
##- Type of event 
##- Success or failure of the event 
##- For I&A events, the origin of the request (e.g., terminal ID) 
##- For events that introduce an object into a user’s address space, and
##  for object deletion events, the name of the object, and in MLS
##  systems, the object’s security level.
##
## Things that could affect time
##-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a exit,always -F arch=b64 -S adjtimex -S settimeofday
##-a always,exit -F arch=b32 -S clock_settime
-a exit,always -F arch=b64 -S clock_settime
-w /etc/localtime -p wa -k time-change

## Things that affect identity
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

## Things that could affect system locale
##-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b64 -S sethostname -S setdomainname
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

## Things that could affect MAC policy
##-w /etc/selinux/ -p wa -k MAC-policy

## (GEN002900: CAT III) The IAO will ensure audit files are retained at
## least one year; systems containing SAMI will be retained for five years.
##
## Site action - no action in config files

## (GEN002920: CAT III) The IAO will ensure audit files are backed up
## no less than weekly onto a different system than the system being
## audited or backup media.  
##
## Can be done with cron script

## (GEN002700: CAT I) (Previously – G095) The SA will ensure audit data
## files have permissions of 640, or more restrictive.
##
## Done automatically by auditd

## Newly added to conform with tests for GEN002760
-w /etc/audit/auditd.conf
-w /etc/audit/audit.rules
-a exit,always -F arch=b64 -S acct -S reboot -S swapon
-a exit,always -F arch=b64 -S setrlimit

## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
## configure the auditing system to audit the following events for all
## users and root:
##
## - Logon (unsuccessful and successful) and logout (successful)
##
## Handled by pam, sshd, login, and gdm
## Might also want to watch these files if needing extra information
#-w /var/log/faillog -p wa -k logins
#-w /var/log/lastlog -p wa -k logins

##- Process and session initiation (unsuccessful and successful)
##
## The session initiation is audited by pam without any rules needed.
## Might also want to watch this file if needing extra information
#-w /var/run/utmp -p wa -k session
#-w /var/log/btmp -p wa -k session
#-w /var/log/wtmp -p wa -k session

##- Discretionary access control permission modification (unsuccessful
## and successful use of chown/chmod)
##-a always,exit -F arch=b32 -S chmod -S fchmod
-a exit,always -F arch=b64 -S chmod -S fchmod -F auid>=500 -F auid!=4294967296 -k perm_mod
##-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S chown -S fchown -S lchown -F auid>=500 -F auid!=4294967296 -k perm_mod
##-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967296 -k perm_mod

##- Unauthorized access attempts to files (unsuccessful) 

## NOTE:
## This rule was modified because so much of the C-RAM software uses
## tests for presence of files to determine status/or to search for right
## configuration that audit.log would fill too fast and cause too large a 
## hit on performance.

##-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
##-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b64 -S creat -S open -S truncate -S ftruncate -F exit=-EACCES -F success=0 -F auid>=500 -F auid!=4294967295 -k access
-a exit,always -F arch=b64 -S creat -S open -S truncate -S ftruncate -F exit=-EPERM -F success=0 -F auid>=500 -F auid!=4294967295 -k access

##- Use of privileged commands (unsuccessful and successful)
## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
##-a exit,always -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged

##- Use of print command (unsuccessful and successful) 

##- Export to media (successful)
## You have to mount media before using it. You must disable all automounting
## so that its done manually in order to get the correct user requesting the
## export
##-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export

##- System startup and shutdown (unsuccessful and successful)

##- Files and programs deleted by the user
##-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

##- This rule was modified because otherwise our audit logs would fill to fast.
##- This matches our auditing in out Solaris version of C-RAM C2
-a exit,always -F arch=b64 -S unlink -F success=0 -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S rename -F auid>=500 -F auid!=4294967295 -k export

##- All system administration actions 
##- All security personnel actions
## 
## Look for pam_tty_audit and add it to your login entry point's pam configs.
## If that is not found, use sudo which should be patched to record its
## commands to the audit system. Do not allow unrestricted root shells or
## sudo cannot record the action.
-w /etc/sudoers -p wa -k actions

## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will
##ensure old audit logs are closed and new audit logs are started daily.
##
## Site action. Can be assisted by a cron job

## Not specifically required by the STIG; but common sense items
## Optional - could indicate someone trying to do something bad or
## just debugging
#-a exit,always -F arch=b32 -S ptrace -k tracing
#-a exit,always -F arch=b64 -S ptrace -k tracing

## Optional - could be an attempt to bypass audit or simply legacy program
#-a always,exit -F arch=b32 -S personality -k bypass
#-a always,exit -F arch=b64 -S personality -k bypass

## Put your own watches after this point
# -w /your-file -p rwxa -k mykey

## Make the configuration immutable - reboot is required to change audit rules
-e 1

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread