* Re: Why exclude unset auid in STIG rules [not found] <A08CED02BC8EFC4B89CE0E0B16F995C4389B9DF6@azrc4sazmsg10.rc4s.com> @ 2016-05-11 18:34 ` Steve Grubb 2016-05-11 18:40 ` Wyatt, Curtis 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2016-05-11 18:34 UTC (permalink / raw) To: Wyatt, Curtis; +Cc: linux-audit@redhat.com On Wednesday, May 11, 2016 06:28:11 PM Wyatt, Curtis wrote: > I don't understand why the STIG audit rules have -F auid!=4294967295 in it. > If auid is unset, why wouldn't you still want to see the events in the > logs? When a user logs in, the auid gets set to the uid that they used to login with. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The rules use a directive like this: -F auid>=1000 to trigger on user activity. It turns out that would trigger on daemons doing something because 4294967295 is greater than 1000. So, we exclude daemons because user activity is the prime target. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Why exclude unset auid in STIG rules 2016-05-11 18:34 ` Why exclude unset auid in STIG rules Steve Grubb @ 2016-05-11 18:40 ` Wyatt, Curtis 2016-05-11 19:10 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Wyatt, Curtis @ 2016-05-11 18:40 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit@redhat.com Ok, so the assumption is that daemons are not compromised? In other words, if a daemon is compromised (or could be compromised), wouldn't you want to monitor it's behavior as well? -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Wednesday, May 11, 2016 11:35 AM When a user logs in, the auid gets set to the uid that they used to login with. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The rules use a directive like this: -F auid>=1000 to trigger on user activity. It turns out that would trigger on daemons doing something because 4294967295 is greater than 1000. So, we exclude daemons because user activity is the prime target. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why exclude unset auid in STIG rules 2016-05-11 18:40 ` Wyatt, Curtis @ 2016-05-11 19:10 ` Steve Grubb 2016-05-11 20:16 ` Wyatt, Curtis 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2016-05-11 19:10 UTC (permalink / raw) To: Wyatt, Curtis; +Cc: linux-audit@redhat.com On Wednesday, May 11, 2016 06:40:52 PM Wyatt, Curtis wrote: > Ok, so the assumption is that daemons are not compromised? This is a complicated topic. Basically there are different levels of paranoia. The STIG in my mind addresses basic robustness. If you read through the SRG, the things its requiring are reasonable but not paranoid. I also think of it as a starting point. You can certainly tighten your system more than the STIG calls out. This is because you have specific knowledge of your operating environment and the threats that go with it. This might be for example knowledge about a daemon you have installed and whether or not its likely to be compromised. You can, with specific knowledge, add rules just for that daemon. But I don't think everyone wants to be held to the needs of a particular setup. I think there is a difference in what rules you would use to spot bad user activity vs the rules you would use for intrusion detection. (I am working on and testing rules for intrusion detection and they will be in an upcoming release.) > In other words, if a daemon is compromised (or could be compromised), > wouldn't you want to monitor it's behavior as well? Perhaps if you feel that this is likely to happen in your environment. You may also wind up with so many events that you cannot see what a rogue employee just did right before they quit. Or so many events that you only can keep the last hour's logs on-hand. I don't see anything in the SRG that leans towards IDS-like rules. Do you see any? -Steve > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Wednesday, May 11, 2016 11:35 AM > > When a user logs in, the auid gets set to the uid that they used to login > with. Daemons are not user sessions and have the loginuid set to -1. The > auid representation is an unsigned 32 bit integer. So, -1 becomes > 4294967295. The rules use a directive like this: -F auid>=1000 to trigger > on user activity. It turns out that would trigger on daemons doing > something because 4294967295 is greater than 1000. So, we exclude daemons > because user activity is the prime target. ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Why exclude unset auid in STIG rules 2016-05-11 19:10 ` Steve Grubb @ 2016-05-11 20:16 ` Wyatt, Curtis 2016-05-11 20:43 ` Warron S French 0 siblings, 1 reply; 6+ messages in thread From: Wyatt, Curtis @ 2016-05-11 20:16 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit@redhat.com > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Wednesday, May 11, 2016 12:11 PM > > On Wednesday, May 11, 2016 06:40:52 PM Wyatt, Curtis wrote: > > Ok, so the assumption is that daemons are not compromised? > > This is a complicated topic. Basically there are different levels of paranoia. > The STIG in my mind addresses basic robustness. If you read through the > SRG, the things its requiring are reasonable but not paranoid. > > I also think of it as a starting point. You can certainly tighten your system > more than the STIG calls out. This is because you have specific knowledge of > your operating environment and the threats that go with it. This might be for > example knowledge about a daemon you have installed and whether or not > its likely to be compromised. You can, with specific knowledge, add rules just > for that daemon. But I don't think everyone wants to be held to the needs of > a particular setup. That makes sense, because the STIGS are applied to a wide variety of systems operating in a variety of threat environments. > > I think there is a difference in what rules you would use to spot bad user > activity vs the rules you would use for intrusion detection. (I am working on > and testing rules for intrusion detection and they will be in an upcoming > release.) Love this. > > In other words, if a daemon is compromised (or could be compromised), > > wouldn't you want to monitor it's behavior as well? > > Perhaps if you feel that this is likely to happen in your environment. You may > also wind up with so many events that you cannot see what a rogue > employee just did right before they quit. Or so many events that you only > can keep the last hour's logs on-hand. Which is why I'm also exploring the best options for compressing logs. But that's another topic for another time. > > I don't see anything in the SRG that leans towards IDS-like rules. Do you see > any? No, I do not. But now I understand all the reasoning. As always, your very helpful, thanks. Curtis ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Why exclude unset auid in STIG rules 2016-05-11 20:16 ` Wyatt, Curtis @ 2016-05-11 20:43 ` Warron S French 0 siblings, 0 replies; 6+ messages in thread From: Warron S French @ 2016-05-11 20:43 UTC (permalink / raw) To: Wyatt, Curtis, Steve Grubb; +Cc: linux-audit@redhat.com This is an interesting development. I will have to keep my eyes peeled for this thread. Warron French, MBA, SCSA ________________________________________ From: linux-audit-bounces@redhat.com <linux-audit-bounces@redhat.com> on behalf of Wyatt, Curtis <Curtis.Wyatt@gd-ms.com> Sent: Wednesday, May 11, 2016 4:16 PM To: Steve Grubb Cc: linux-audit@redhat.com Subject: RE: Why exclude unset auid in STIG rules > -----Original Message----- > From: Steve Grubb [mailto:sgrubb@redhat.com] > Sent: Wednesday, May 11, 2016 12:11 PM > > On Wednesday, May 11, 2016 06:40:52 PM Wyatt, Curtis wrote: > > Ok, so the assumption is that daemons are not compromised? > > This is a complicated topic. Basically there are different levels of paranoia. > The STIG in my mind addresses basic robustness. If you read through the > SRG, the things its requiring are reasonable but not paranoid. > > I also think of it as a starting point. You can certainly tighten your system > more than the STIG calls out. This is because you have specific knowledge of > your operating environment and the threats that go with it. This might be for > example knowledge about a daemon you have installed and whether or not > its likely to be compromised. You can, with specific knowledge, add rules just > for that daemon. But I don't think everyone wants to be held to the needs of > a particular setup. That makes sense, because the STIGS are applied to a wide variety of systems operating in a variety of threat environments. > > I think there is a difference in what rules you would use to spot bad user > activity vs the rules you would use for intrusion detection. (I am working on > and testing rules for intrusion detection and they will be in an upcoming > release.) Love this. > > In other words, if a daemon is compromised (or could be compromised), > > wouldn't you want to monitor it's behavior as well? > > Perhaps if you feel that this is likely to happen in your environment. You may > also wind up with so many events that you cannot see what a rogue > employee just did right before they quit. Or so many events that you only > can keep the last hour's logs on-hand. Which is why I'm also exploring the best options for compressing logs. But that's another topic for another time. > > I don't see anything in the SRG that leans towards IDS-like rules. Do you see > any? No, I do not. But now I understand all the reasoning. As always, your very helpful, thanks. Curtis -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 6+ messages in thread
* Why exclude unset auid in STIG rules @ 2016-05-11 18:32 Wyatt, Curtis 0 siblings, 0 replies; 6+ messages in thread From: Wyatt, Curtis @ 2016-05-11 18:32 UTC (permalink / raw) To: linux-audit@redhat.com I don't understand why the STIG audit rules have -F auid!=4294967295 in it. If auid is unset, why wouldn't you still want to see the events in the logs? Curtis ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-05-11 20:43 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <A08CED02BC8EFC4B89CE0E0B16F995C4389B9DF6@azrc4sazmsg10.rc4s.com>
2016-05-11 18:34 ` Why exclude unset auid in STIG rules Steve Grubb
2016-05-11 18:40 ` Wyatt, Curtis
2016-05-11 19:10 ` Steve Grubb
2016-05-11 20:16 ` Wyatt, Curtis
2016-05-11 20:43 ` Warron S French
2016-05-11 18:32 Wyatt, Curtis
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox