From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: Excluding few executable from audit.rules in redhat6.5 Date: Mon, 17 Nov 2014 10:14:59 -0600 Message-ID: <546A1F03.3030805@magitekltd.com> References: <08DF6CD1326DBF4A80321CEA93761E5F1CB1A523@eusaamb103.ericsson.se> <2049003.dURlEamkhM@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4897049509049351945==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sAHGEt6K016821 for ; Mon, 17 Nov 2014 11:14:55 -0500 Received: from mail-oi0-f46.google.com (mail-oi0-f46.google.com [209.85.218.46]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAHGEqlX014295 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Mon, 17 Nov 2014 11:14:53 -0500 Received: by mail-oi0-f46.google.com with SMTP id h136so2290199oig.33 for ; Mon, 17 Nov 2014 08:14:52 -0800 (PST) Received: from [192.168.31.226] (65-36-126-38.dyn.grandenetworks.net. [65.36.126.38]) by mx.google.com with ESMTPSA id e5sm6606702oic.16.2014.11.17.08.14.50 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Nov 2014 08:14:51 -0800 (PST) In-Reply-To: <2049003.dURlEamkhM@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a cryptographically signed message in MIME format. --===============4897049509049351945== Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070309040002010207000207" This is a cryptographically signed message in MIME format. --------------ms070309040002010207000207 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 11/17/2014 09:30 AM, Steve Grubb wrote: > Well, what do you really want to do? In general, I'd look at the origin= al=20 > auditing rule to see if its scope can be narrowed. In this case, it app= ears=20 > that you are wanting all calls to chmod. Why? Are you more concerned wi= th=20 > failed calls to chmod, meaning a user is trying to change system files?= Are=20 > system daemons calling chmod OK? Or do you really want everything? Or d= o you=20 > want no events at all for that daemon no matter what the syscall? > > The event you are showing is that app successfully making a directory w= orld=20 > writable/readable. Its setting the sticky bit, so its "safe." I think this is auditing because the supplied STIG rules specify it. The "perm_mod" key is the hint. You probably do not want to remove this rule for all chmod syscalls. You cannot exclude an executable itself from the rule set by name. The "exclude" option only applies to event types. =20 You could exclude it by type, except it is running as a generic unconfined_t. Perhaps it can be mitigated by "-F path !=3D" or something similar.= Check the auditctl man page for options. LCB --=20 LC (Lenny) Bruzenak lenny@magitekltd.com --------------ms070309040002010207000207 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEZDCC BGAwggNIoAMCAQICEwZQV0xKmXg6VpNOYV4AVY8RbPYwDQYJKoZIhvcNAQEFBQAwgYIxCzAJ BgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hS YW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRp ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDgxNDA5NTMyMFoXDTE1MDgxNDE1NTMyMFowcTEd MBsGA1UEAwwUbGVubnlAbWFnaXRla2x0ZC5jb20xDjAMBgNVBAoMBXNtaW1lMQ4wDAYDVQQI DAVzbWltZTELMAkGA1UEBhMCVVMxIzAhBgkqhkiG9w0BCQEWFGxlbm55QG1hZ2l0ZWtsdGQu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk/YzpnShgUImRJTL/rtYoP4 rP3rR9A45kty5KcQ+xaq7B2M/irmosxQ96hg1LcJrh9LEG9gmAjiQK32QT9hAND47Frag3+6 4txUSuiW4Wh1Q96avqg30hC0oZvylAyaqx1DRGw1jv3UVMyBOMWG7boxWOOPqIvBK6NaQGDD j74tfb+MyjRGLpUq6IUzVhMiHX1pRXSlprS0jH0rSQQrGZIGnqRT2+LlhbU6jYcBLS7dsS38 gHaKhs5hgSsFIT0hmHvF7EqKLIpeqA4sRCdtHUrjCjRXTo4G0SYcPSHJegR9UADWWsyXaK2l VMQG/yvczd/EcrJFaeTZTxQGzBInmwIDAQABo4HeMIHbMAsGA1UdDwQEAwIFoDATBgNVHSUE DDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUbdNQFOkqZZpvYP3Og5yjTF5MKi4wHwYDVR0jBBgw FoAUxk+iPQZjhAmczmLkBKyNXLXpthswQwYDVR0gBDwwOjA4BgpghkgBhv1kAgIBMCowKAYI KwYBBQUHAgEWHGh0dHBzOi8vc3NsLnRydXN0d2F2ZS5jb20vQ0EwMgYDVR0fBCswKTAnoCWg I4YhaHR0cDovL2NybC50cnVzdHdhdmUuY29tL1hHQ0EuY3JsMA0GCSqGSIb3DQEBBQUAA4IB AQA4p5zP1UtMZrLRslU6wXrprLWT3Rw4yeYYnayveaKb/MN9iKI95gQeAlObmSk00GU3EngH Y3EscFOYfQY9rkZCqSFSx+gc04FFBxFDrjs28McrD6MIcuFcRYLxri0QXMZ5yrkCw1sHwZHp 6R0/CvVcz7RvHREM108BAs/0SccZoTh2z9Py6IZcr+Ye3KsYpyET3Zu8Lw2VV7z24DntjMN6 3GC3pnbrLxadzxdAk5AkWo23FsNQElSJaG9PqoKV8blk1XI8dVQAtD7YBGI40sCW7VaYPZ0G tYdyGROQWMAN6gj1pUt9oeIlLbaobvq8u5Gahhc+cwMWNycKSyOQWf8eMYID7zCCA+sCAQEw gZowgYIxCzAJBgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAi BgNVBAoTG1hSYW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xv YmFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMGUFdMSpl4OlaTTmFeAFWPEWz2MAkGBSsO AwIaBQCgggIpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0 MTExNzE2MTQ1OVowIwYJKoZIhvcNAQkEMRYEFMqlTXEFvPgIfB1J/k9rClBhAAfQMGwGCSqG SIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggq hkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgasG CSsGAQQBgjcQBDGBnTCBmjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNl Y3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYD VQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEwZQV0xKmXg6VpNO YV4AVY8RbPYwga0GCyqGSIb3DQEJEAILMYGdoIGaMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UE CxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2 aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eQITBlBXTEqZeDpWk05hXgBVjxFs9jANBgkqhkiG9w0BAQEFAASCAQBXzGAMpraqHp5gActY IakQ/MLs9nywRZFDxgy9c369IGbWH3vXIRUEHYj4Hzk6tdIo2Q0YPpOTzTk6W4cPGAZILDul TFPPx0a2oiA6+2E2v1avwcyCb8RlxsdwiA4kksqBmP5GOOfc19cN7ndVb+rj4HKDuFWVFTYg bw0B3eSpaybojrCVVy8pOSf5asRV0vBFS0b6Efo6ntzqSw1bDSLi6X99xblkFElQ9DIHee+l 1wgxGnB2zXuD0VpXSGi9cztEZx1R7LhE8Mqe5wOpDTQ69SU4KK7RWmzgziqOvhFU9KtMcMYO aMjBeTkt7F6lpda5bvm/AShj/GzXQEj8DWoSAAAAAAAA --------------ms070309040002010207000207-- --===============4897049509049351945== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4897049509049351945==--