Re: What STIG audit rule picks up type=SOFTWARE_UPDATE events?

From: Steve Grubb <sgrubb@redhat.com>
To: Linux-audit@redhat.com, linux-audit@redhat.com
Subject: Re: What STIG audit rule picks up type=SOFTWARE_UPDATE events?
Date: Wed, 17 May 2023 00:12:07 -0400	[thread overview]
Message-ID: <5677897.DvuYhMxLoT@x2> (raw)
In-Reply-To: <e61e9b19-cccd-2717-7291-fdbd524c97ef@s4software.com>

Hello,

On Sunday, May 14, 2023 8:24:47 PM EDT Claire Stafford wrote:
> This brings up the question of where I can find the audit events which
> are generated by rpm?

ausearch --start today -m SOFTWARE_UPDATE

> Also dnf/yum if they directly generate events?

No, they are linked against librpm. It in turn has a plugin, rpm-plugin-
audit, which generates the audit events.

> A very quick scan of the rpm source code doesn't reveal anything.

https://github.com/rpm-software-management/rpm/blob/master/plugins/audit.c

-Steve

> On 5/14/23 14:46, Steven Grubb wrote:
> > Hello,
> > 
> > 
> > On Fri, May 12, 2023 at 5:23 PM Wieprecht, Karen M.
> > 
> > <Karen.Wieprecht@jhuapl.edu> wrote:
> >     All,
> >     
> >     Do you happen to know which if the standard STIG rules is picking
> >     up   type=SOFTWARE_UPDATE events on RHEL 7 and 8 ?
> > 
> > None. rpm has been altered to produce these much the same as pam
> > produces login events. It was too tricky to tell the intent to update
> > vs querying the rpm database. And you have no way to answer the
> > question about success without originating from inside rpm itself. I
> > don't think any external rules can meet all requirements imposed by
> > OSPP, which the STIG audit rules are loosely based on.
> > 
> > -Steve
> > 
> >       I’m trying to figure out if we missed one of these rules on an
> >     Ubuntu 20 system we are configuring  or if maybe the audit
> >     subsystem implementation on that system doesn’t pick up all of the
> >     same record types as we get on our RHEL boxes. I realized when I
> >     started looking at this that it’s not easy to determine which
> >     audit rule is picking up a particular event if it’s not one of the
> >     rule that has a key associated with it.
> >     
> >     As a possible alternative,   I ran across a sample audit.rules
> >      list here GitHub - Neo23x0/auditd: Best Practice Auditd
> >     Configuration <https://github.com/Neo23x0/auditd>  (actual rules
> >     file is here: auditd/audit.rules at master · Neo23x0/auditd ·
> >     GitHub
> >     <https://github.com/Neo23x0/auditd/blob/master/audit.rules>) which
> >     included some software management rules that don’t appear to be
> >      part of the standard “30-stig.rules” .
> >     
> >     If the standard STIG rules don’t pick up  type=SOFTWARE_UPDATE
> >     events on Ubuntu20,  I might add some of these , so I was hoping
> >     to have a quick sanity check on whether these look like
> >     appropriate alternatives.  Any recommendations or comments
> >     regarding these sample rules would be much appreciated.  Basically
> >     it looks to me like they are just setting watches for anyone
> >      executing these various commands, which shouldn’t cause to much
> >     noise in the logs except maybe when we are patching which is one
> >     of the continuous monitoring items I  need to be able to confirm.
> >     
> >     Thanks much!
> >     
> >     Karen Wieprecht
> >     
> >     # Software Management
> >     ---------------------------------------------------------
> >     
> >     # RPM (Redhat/CentOS)
> >     
> >     -w /usr/bin/rpm -p x -k software_mgmt
> >     
> >     -w /usr/bin/yum -p x -k software_mgmt
> >     
> >     # DNF (Fedora/RedHat 8/CentOS 8)
> >     
> >     -w /usr/bin/dnf -p x -k software_mgmt
> >     
> >     # YAST/Zypper/RPM (SuSE)
> >     
> >     -w /sbin/yast -p x -k software_mgmt
> >     
> >     -w /sbin/yast2 -p x -k software_mgmt
> >     
> >     -w /bin/rpm -p x -k software_mgmt
> >     
> >     -w /usr/bin/zypper -k software_mgmt
> >     
> >     # DPKG / APT-GET (Debian/Ubuntu)
> >     
> >     -w /usr/bin/dpkg -p x -k software_mgmt
> >     
> >     -w /usr/bin/apt -p x -k software_mgmt
> >     
> >     -w /usr/bin/apt-add-repository -p x -k software_mgmt
> >     
> >     -w /usr/bin/apt-get -p x -k software_mgmt
> >     
> >     -w /usr/bin/aptitude -p x -k software_mgmt
> >     
> >     -w /usr/bin/wajig -p x -k software_mgmt
> >     
> >     -w /usr/bin/snap -p x -k software_mgmt
> >     
> >     # PIP(3) (Python installs)
> >     
> >     -w /usr/bin/pip -p x -k T1072_third_party_software
> >     
> >     -w /usr/local/bin/pip -p x -k T1072_third_party_software
> >     
> >     -w /usr/bin/pip3 -p x -k T1072_third_party_software
> >     
> >     -w /usr/local/bin/pip3 -p x -k T1072_third_party_software
> >     
> >     # npm
> >     
> >     ## T1072 third party software
> >     
> >     ## https://www.npmjs.com
> >     
> >     ## https://docs.npmjs.com/cli/v6/commands/npm-audit
> >     
> >     -w /usr/bin/npm -p x -k T1072_third_party_software
> >     
> >     --
> >     Linux-audit mailing list
> >     Linux-audit@redhat.com
> >     https://listman.redhat.com/mailman/listinfo/linux-audit
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://listman.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit