perhaps obvious question: auditd and setuid/setgid?

perhaps obvious question: auditd and setuid/setgid?

[John Jasen]

I'm currently testing auditd with rules for setuid or setgid binaries on
the system.

I currently maintain the list via find, and pushing the results to a
audit.rules file.

I'm hoping there's a cleaner way, perhaps by triggering on the
appropriate syscall -- but have not discovered it.

Is there an easier method?

Re: perhaps obvious question: auditd and setuid/setgid?

[rshaw1]

> I'm currently testing auditd with rules for setuid or setgid binaries on
> the system.
>
> I currently maintain the list via find, and pushing the results to a
> audit.rules file.
>
> I'm hoping there's a cleaner way, perhaps by triggering on the
> appropriate syscall -- but have not discovered it.
>
> Is there an easier method?

The find method is what I use (though I push it to a file in rules.d and
then run augenrules, which for RHEL5/6 I just stole from RHEL7).  Using
find to generate these rules is actually in the text of, IIRC, at least
one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
automated as the way I do it.

--Ray

Re: perhaps obvious question: auditd and setuid/setgid?

[John Jasen]

I was specifically wondering if I was missing the appropriate syscall
for the use of setuid or setgid.

>From a brief examination and test, this appears to not be the case?



On 09/02/2015 10:32 PM, rshaw1@umbc.edu wrote:
>> I'm currently testing auditd with rules for setuid or setgid binaries on
>> the system.
>>
>> I currently maintain the list via find, and pushing the results to a
>> audit.rules file.
>>
>> I'm hoping there's a cleaner way, perhaps by triggering on the
>> appropriate syscall -- but have not discovered it.
>>
>> Is there an easier method?
> The find method is what I use (though I push it to a file in rules.d and
> then run augenrules, which for RHEL5/6 I just stole from RHEL7).  Using
> find to generate these rules is actually in the text of, IIRC, at least
> one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> automated as the way I do it.
>
> --Ray
>

Re: perhaps obvious question: auditd and setuid/setgid?

[Steve Grubb]

On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
> I was specifically wondering if I was missing the appropriate syscall
> for the use of setuid or setgid.
> 
>From a brief examination and test, this appears to not be the case?

There are a couple ways to do this. One is using the find method. However, that 
does not take into account file system based capabilities. In the lab I taught 
this week, the rules generator also included this:


filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -
F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules

filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x 
-F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules

filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F 
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> 
priv.rules

filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F 
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> 
priv.rules


But, if all you want is setuid, then you can use a rule like this instead of 
file watches:

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0

-Steve


> On 09/02/2015 10:32 PM, rshaw1@umbc.edu wrote:
> >> I'm currently testing auditd with rules for setuid or setgid binaries on
> >> the system.
> >> 
> >> I currently maintain the list via find, and pushing the results to a
> >> audit.rules file.
> >> 
> >> I'm hoping there's a cleaner way, perhaps by triggering on the
> >> appropriate syscall -- but have not discovered it.
> >> 
> >> Is there an easier method?
> > 
> > The find method is what I use (though I push it to a file in rules.d and
> > then run augenrules, which for RHEL5/6 I just stole from RHEL7).  Using
> > find to generate these rules is actually in the text of, IIRC, at least
> > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> > automated as the way I do it.
> > 
> > --Ray
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: perhaps obvious question: auditd and setuid/setgid?

[John Jasen]

On 09/04/2015 12:20 PM, Steve Grubb wrote:
> On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
>> I was specifically wondering if I was missing the appropriate syscall
>> for the use of setuid or setgid.
>>
> >From a brief examination and test, this appears to not be the case?
>
> There are a couple ways to do this. One is using the find method. However, that 
> does not take into account file system based capabilities. In the lab I taught 
> this week, the rules generator also included this:

<snipped> filecap examples to add LINUX_CAP executables to audit.rules.

Huh .... I did not think of that.
> But, if all you want is setuid, then you can use a rule like this instead of 
> file watches:
>
> -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0

Perfect! Thanks.

For future generations googling for answers, I did the following:

-a always,exit -F arch=x86_64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=x86_64 -S execve -C gid!=egid -F key=execpriv

I didn't pursue the last match, -F euid=0, as there may be cases where
you wish to audit setuid usage, but the binary is not setuid to root.