auditctl for admin's accessing other user files

auditctl for admin's accessing other user files

[Skaggs, Nicholas C]

[-- Attachment #1.1: Type: text/plain, Size: 1186 bytes --]

Hello
I noticed in the man page for auditctl, an example of how to monitor if admins are accessing other user's files. I created a rule like the one in the example. This is great that it is pulling the action and user calling the action!

The rule
-a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid

I will pull a report on the findings with
aureport -f -i | grep /home/username/

The report is heavier than anticipated so I tried to make an adjustment to only capture what happens in the directory
-a always,exit -S all -F path=/home/username/ -F uid=0 -C auid!=obj_uid
... but that is returning with  Error sending add rule data request (Invalid argument)

I then tried the below rule; it does not return an error upon add, but when I do an auditctl -l there are no rules listed
-a always,exit -S all -F path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid

Is there a preferred  way to set the rule, maybe on the inode of the directory, but does not lose the ability to see if an admin is doing it and what action?  I have been adding these on the fly, instead of adding to the /etc/audit/audit.rules file, for now.


Thanks!
Nick Skaggs


[-- Attachment #1.2: Type: text/html, Size: 6027 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditctl for admin's accessing other user files

[Steve Grubb]

On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor if
> admins are accessing other user's files. I created a rule like the one in
> the example. This is great that it is pulling the action and user calling
> the action!
> 
> The rule
> -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid

You might also want to add     -F auid>=1000 -F auid!=4294967295
So that you get events caused by people and not system daemons. This might be 
all that you need to do.

> I will pull a report on the findings with
> aureport -f -i | grep /home/username/
> 
> The report is heavier than anticipated so I tried to make an adjustment to
> only capture what happens in the directory -a always,exit -S all -F
> path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is returning
> with  Error sending add rule data request (Invalid argument)

You should use the "dir" option rather than "path". A full example would be:
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295
-C auid!=obj_uid

-Steve

> I then tried the below rule; it does not return an error upon add, but when
> I do an auditctl -l there are no rules listed -a always,exit -S all -F
> path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> 
> Is there a preferred  way to set the rule, maybe on the inode of the
> directory, but does not lose the ability to see if an admin is doing it
> and what action?  I have been adding these on the fly, instead of adding
> to the /etc/audit/audit.rules file, for now.
> 
> 
> Thanks!
> Nick Skaggs

Re: auditctl for admin's accessing other user files

[Steve Grubb]

On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor if
> admins are accessing other user's files. I created a rule like the one in
> the example. This is great that it is pulling the action and user calling
> the action!
> 
> The rule
> -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
> 
> I will pull a report on the findings with
> aureport -f -i | grep /home/username/

One other thing to comment on. You might do the report part a little
different. I'd let ausearch do the filtering before it goes to aureport. Its
much more flexible. For example, if you added a key to the rule "admin-access".
Then you can do this:

summary of all accesses
ausearch --start today -k admin-access --raw | aureport --summary -f

summary for a specific dir
ausearch --start today -k admin-access -f /home/username --raw | aureport --summary -f

summary of who did it
ausearch --start today -k admin-access --raw | aureport --summary -u -i

summary for a sepcific admin
ausearch --start today -k admin-access --loginuid admin-name --raw | aureport --summary -f

If you don't use the key in the searches, then you may be getting
unrelated events in the report.

-Steve

> The report is heavier than anticipated so I tried to make an adjustment to
> only capture what happens in the directory -a always,exit -S all -F
> path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is returning
> with  Error sending add rule data request (Invalid argument)
> 
> I then tried the below rule; it does not return an error upon add, but when
> I do an auditctl -l there are no rules listed -a always,exit -S all -F
> path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> 
> Is there a preferred  way to set the rule, maybe on the inode of the
> directory, but does not lose the ability to see if an admin is doing it
> and what action?  I have been adding these on the fly, instead of adding
> to the /etc/audit/audit.rules file, for now.
> 
> 
> Thanks!
> Nick Skaggs

RE: auditctl for admin's accessing other user files

[Skaggs, Nicholas C]

Thank you very much, Steve! Very helpful info!

I also added some of the variations of the reporting you suggested using ausearch. Good stuff.

N.

On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> Hello
> I noticed in the man page for auditctl, an example of how to monitor 
> if admins are accessing other user's files. I created a rule like the 
> one in the example. This is great that it is pulling the action and 
> user calling the action!
> 
> The rule
> -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid

You might also want to add     -F auid>=1000 -F auid!=4294967295
So that you get events caused by people and not system daemons. This might be all that you need to do.

> I will pull a report on the findings with aureport -f -i | grep 
> /home/username/
> 
> The report is heavier than anticipated so I tried to make an 
> adjustment to only capture what happens in the directory -a 
> always,exit -S all -F path=/home/username/ -F uid=0 -C auid!=obj_uid 
> ... but that is returning with  Error sending add rule data request 
> (Invalid argument)

You should use the "dir" option rather than "path". A full example would be:
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid

-Steve

> I then tried the below rule; it does not return an error upon add, but 
> when I do an auditctl -l there are no rules listed -a always,exit -S 
> all -F path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> 
> Is there a preferred  way to set the rule, maybe on the inode of the 
> directory, but does not lose the ability to see if an admin is doing 
> it and what action?  I have been adding these on the fly, instead of 
> adding to the /etc/audit/audit.rules file, for now.
> 
> 
> Thanks!
> Nick Skaggs

Re: auditctl for admin's accessing other user files

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 2563 bytes --]

This is very cool!  I didn't know you could pass data from ausearch into
aureport.  Does the -f option simply expect stdin if a file is not
specified then?


--------------------------
Warron French


On Mon, Jun 25, 2018 at 5:28 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> > Hello
> > I noticed in the man page for auditctl, an example of how to monitor if
> > admins are accessing other user's files. I created a rule like the one in
> > the example. This is great that it is pulling the action and user calling
> > the action!
> >
> > The rule
> > -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
> >
> > I will pull a report on the findings with
> > aureport -f -i | grep /home/username/
>
> One other thing to comment on. You might do the report part a little
> different. I'd let ausearch do the filtering before it goes to aureport.
> Its
> much more flexible. For example, if you added a key to the rule
> "admin-access".
> Then you can do this:
>
> summary of all accesses
> ausearch --start today -k admin-access --raw | aureport --summary -f
>
> summary for a specific dir
> ausearch --start today -k admin-access -f /home/username --raw | aureport
> --summary -f
>
> summary of who did it
> ausearch --start today -k admin-access --raw | aureport --summary -u -i
>
> summary for a sepcific admin
> ausearch --start today -k admin-access --loginuid admin-name --raw |
> aureport --summary -f
>
> If you don't use the key in the searches, then you may be getting
> unrelated events in the report.
>
> -Steve
>
> > The report is heavier than anticipated so I tried to make an adjustment
> to
> > only capture what happens in the directory -a always,exit -S all -F
> > path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is returning
> > with  Error sending add rule data request (Invalid argument)
> >
> > I then tried the below rule; it does not return an error upon add, but
> when
> > I do an auditctl -l there are no rules listed -a always,exit -S all -F
> > path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> >
> > Is there a preferred  way to set the rule, maybe on the inode of the
> > directory, but does not lose the ability to see if an admin is doing it
> > and what action?  I have been adding these on the fly, instead of adding
> > to the /etc/audit/audit.rules file, for now.
> >
> >
> > Thanks!
> > Nick Skaggs
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 3727 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditctl for admin's accessing other user files

[Steve Grubb]

On Friday, June 29, 2018 10:44:48 PM EDT warron.french wrote:
> This is very cool!  I didn't know you could pass data from ausearch into
> aureport.  Does the -f option simply expect stdin if a file is not
> specified then?

ausearch and aureport both check stdin to see if its a pipe. If so, it reads 
it instead of the logs. This leads to the common problem of getting no output 
when run from a cron job. This is because the cron job creates a pipe for 
stdin even when it doesn't pipe anything to it. So, that lead to the creation 
of the --input-logs commandline option to force it to read the logs even when 
stdin is a pipe.

So, if you wanted to do one of those reports mentioned below from a cron job, 
then the ausearch would need to use that option but aureport wouldn't so that 
it can process the output of ausearch. Also note that when piping them, they 
expect data in the raw format.

-Steve

> On Mon, Jun 25, 2018 at 5:28 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> > > Hello
> > > I noticed in the man page for auditctl, an example of how to monitor if
> > > admins are accessing other user's files. I created a rule like the one
> > > in
> > > the example. This is great that it is pulling the action and user
> > > calling
> > > the action!
> > > 
> > > The rule
> > > -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
> > > 
> > > I will pull a report on the findings with
> > > aureport -f -i | grep /home/username/
> > 
> > One other thing to comment on. You might do the report part a little
> > different. I'd let ausearch do the filtering before it goes to aureport.
> > Its
> > much more flexible. For example, if you added a key to the rule
> > "admin-access".
> > Then you can do this:
> > 
> > summary of all accesses
> > ausearch --start today -k admin-access --raw | aureport --summary -f
> > 
> > summary for a specific dir
> > ausearch --start today -k admin-access -f /home/username --raw | aureport
> > --summary -f
> > 
> > summary of who did it
> > ausearch --start today -k admin-access --raw | aureport --summary -u -i
> > 
> > summary for a sepcific admin
> > ausearch --start today -k admin-access --loginuid admin-name --raw |
> > aureport --summary -f
> > 
> > If you don't use the key in the searches, then you may be getting
> > unrelated events in the report.
> > 
> > -Steve
> > 
> > > The report is heavier than anticipated so I tried to make an adjustment
> > 
> > to
> > 
> > > only capture what happens in the directory -a always,exit -S all -F
> > > path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is
> > > returning
> > > with  Error sending add rule data request (Invalid argument)
> > > 
> > > I then tried the below rule; it does not return an error upon add, but
> > 
> > when
> > 
> > > I do an auditctl -l there are no rules listed -a always,exit -S all -F
> > > path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> > > 
> > > Is there a preferred  way to set the rule, maybe on the inode of the
> > > directory, but does not lose the ability to see if an admin is doing it
> > > and what action?  I have been adding these on the fly, instead of
> > > adding
> > > to the /etc/audit/audit.rules file, for now.
> > > 
> > > 
> > > Thanks!
> > > Nick Skaggs
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit