From mboxrd@z Thu Jan  1 00:00:00 1970
From: rshaw1@umbc.edu
Subject: Re: auid=0
Date: Mon, 3 Aug 2015 14:53:52 -0400
Message-ID: <5078d5cdd4a92b5757767c0f248ef91b.squirrel@webmail.umbc.edu>
References: <3db3c7197b826469a01470b399b61d28.squirrel@webmail.umbc.edu>
	<8232042.ns10VY4MF9@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <8232042.ns10VY4MF9@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

> On Monday, August 03, 2015 02:11:31 PM rshaw1@umbc.edu wrote:
>> Comparing the "official" STIG content with the scap-security-guide
>> content, the former seems to have added corresponding rules for "-F
>> auid=0" that aren't present in scap-security guide.  i.e. where
>> scap-security-guide will just have one rule:
>>
>> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F
>> auid!=4294967295 -k delete
>>
>> the official content will have the above plus:
>>
>> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete
>>
>> Is the addition necessary?
>
> Does the official STIG allow root logins? If so, I think that is a big
> mistake
> and should be fixed.  If it does not allow root logins, then the only way
> I can
> think of having auid to be 0 is for root cron jobs.

It doesn't, but that doesn't mean they don't love to layer the hell out of
things.

>> It doesn't seem to be, as the rules caught root usage of, for example,
>> chmod
>> just fine without it (I had used su; not sure if there's a difference
>> between
>> that and other ways of being root.) I would like to make sure I'm right
>> before asking one group or the other to delete or add it, respectively.
>
> Perhaps they consider root cronjobs to be an attack vector?

Perhaps.  What about exploiting a daemon that runs as root?  Would cron be
the only one to show up as auid=0?  I know there is some sort of thing
that happens where the daemon will inherit the <somthing>uid of anyone who
restarts it, but I'm not sure what it would start as at boot.

I'm hoping to not have to nearly double the amount of rules, but I'm
guessing it doesn't work to have auid >=500, !=4294967295, and =0 in the
same rule (when I tried it, it seemed to stop catching chmod altogether).

--Ray