From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 743B3C433DB for ; Wed, 20 Jan 2021 23:11:45 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 63DCA235F9 for ; Wed, 20 Jan 2021 23:11:44 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 63DCA235F9 Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1611184303; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ZcG/vhl5a3UEf7KHVW8ouUg4vGj7otU5gc1vEWXOjcE=; b=exlREhloD54xDIBe1SbbUxzLzbX5PwRGUsR2CYVCcMkOe97xGpZNY1uLrhSs81mh165RyO EoHz+BH/OUCPvSmBQxartxZpR0eRUt8QjoR3qjc5SJ9VfgfyUn+Sil6l15ueV0kpnSfgRB 2tVQuK6rlzV8n5ZBV2ysIxzjiw1dJHE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-529-CDmUPKZCNUOlzNoH0pCEmA-1; Wed, 20 Jan 2021 18:11:41 -0500 X-MC-Unique: CDmUPKZCNUOlzNoH0pCEmA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E4665180E483; Wed, 20 Jan 2021 23:11:37 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6838A10023AD; Wed, 20 Jan 2021 23:11:37 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B489A180954D; Wed, 20 Jan 2021 23:11:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 10KN8p6c012920 for ; Wed, 20 Jan 2021 18:08:51 -0500 Received: by smtp.corp.redhat.com (Postfix) id 571F860C74; Wed, 20 Jan 2021 23:08:51 +0000 (UTC) Received: from x2.localnet (ovpn-114-140.phx2.redhat.com [10.3.114.140]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C49060C6D; Wed, 20 Jan 2021 23:08:45 +0000 (UTC) From: Steve Grubb To: Linux-Audit Mailing List Subject: Re: 2nd Round AuditRules Questions Date: Wed, 20 Jan 2021 18:08:44 -0500 Message-ID: <7207971.EvYhyI6sBW@x2> Organization: Red Hat In-Reply-To: <316007965.1268500.1611102131083@mail.yahoo.com> References: <316007965.1268500.1611102131083.ref@mail.yahoo.com> <316007965.1268500.1611102131083@mail.yahoo.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tuesday, January 19, 2021 7:22:11 PM EST Joe Wulf wrote: > 1. The rules for monitoring '/etc/passwd', '/etc/shadow', '/etc/group', > '/etc/gshadow' exist. Shouldn't corresponding rules also exist for the > same four files which also have a dash/hyphen appended to them (i.e. > '/etc/passwd-', etc...)? You can add them if you want to. But I'm not planning to add them to the audit repo. There are requirements around monitoring changes of security attributes. This is covered by auditing events hardwired in the utilities that update them such as shadow utils. However, an admin could also use vi or nano to directly edit the files. That is all the watch is for. The files with the '-' are not used for authentication or setting up any user subject binding. > 2. By adding 'audit=1' to grub kernel boot param's---can I then safely > eliminate this piece from all audit rules: '-F auid!=4294967295'? It depends on your intent. But this has nothing to do with audit=1. > Conversely, what harm would it do to 'just leave it'? Your logs will be flooded by daemon activity instead of things that people do. > It would, in some cases, satisfy certain vulnerability scanning tools > seeking exact syntax compliance, right? I have no idea about what anyone would be compliant to. So, its hard to make a blanket statement. If you need to audit daemon activity and users, then yes you would want to remove the '-F auid!=4294967295'. But your logs will fill up much quicker. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit