Audit class/lab
by Steve Grubb
Hello,
I normally don't put the word out about speeches I give, or things like that.
But I am going to be teaching a hands-on audit class to demonstrate how to
configure, setup rules, and do searching and reporting using the native linux
audit tools.
The lab will be part of the Defence in Depth conference in Washington (Tyson's
Cormers, VA) on Sept 1. Its free, you just have to register. More info:
http://www.redhat.com/en/about/events/2015-defense-depth
I will be going over new features that aids insider threat detection and signs
of intrusion in addition to basics. Bring your questions and problems, let's
talk.
-Steve
9 years, 2 months
Watching over non-existent folder to maintain a generic audit.rules file
by Florian Crouzat
Hello,
I'm a bit new with auditd so excuse me if this question has been already
answered but I failed to find answers.
I'm in the process of replacing a FIM tool by auditd which is by far
more powerful but I wanted to describe all possibles files and folders
(or system calls) that I need to watch over in a generic audit.rules
files that I would deploy on thousands of hosts.
Unfortunately, I do not only watch over system-related files and folders
but also applicative ones (eg custom path where some private keys are
stored, etc) ..
My problem is that these folders do not exists on all hosts thus making
it impossible to write a generic audit.rules files.
As I said, I have thousands of hosts and I can't imagine deploying
different files on every hosts depending on the profile of the host.
I know puppet could help me for this kind of stuff but I don't have it
yet and even though, it would be difficult to configure.
How do you guys usually workaround this issue ? I'm pretty sure I'm not
the first one wanting to deploy a generic hardening across many hosts
(but maybe I'm the only one using auditd to watch over something else
than pure system-related stuff?
Thanks,
Florian
9 years, 3 months
[PATCH V6 0/4] audit by executable name
by Richard Guy Briggs
Please see the accompanying userspace patchset:
https://www.redhat.com/archives/linux-audit/2015-July/thread.html
[[PATCH V2] 0/2] Log on the future execution of a path
The userspace interface is not expected to change appreciably unless something
important has been overlooked. Setting and deleting rules works as expected.
If the path does not exist at rule creation time, it will be re-evaluated every
time there is a change to the parent directory at which point the change in
device and inode will be noted.
Here's a sample run:
Test for addition, trigger and deletion of tree executable rule:
# auditctl -a always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.720:44711): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add_rule" key="exetest_tree" list=4 res=1
----
# /usr/bin/touch /tmp/test
----
time->Sat Jul 11 10:41:50 2015
type=PROCTITLE msg=audit(1436629310.757:44712): proctitle=2F7573722F62696E2F746F756368002F746D702F74657374
type=PATH msg=audit(1436629310.757:44712): item=1 name="/tmp/test" inode=166932 dev=00:24 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=CREATE
type=PATH msg=audit(1436629310.757:44712): item=0 name="/tmp/" inode=11525 dev=00:24 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(1436629310.757:44712): cwd="/root"
type=SYSCALL msg=audit(1436629310.757:44712): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdee2f9e27 a1=941 a2=1b6 a3=691 items=2 ppid=17655 pid=17762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="touch" exe="/usr/bin/touch" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="exetest_tree"
----
# auditctl -d always,exit -S all -F dir=/tmp -F exe=/usr/bin/touch -F key=exetest_tree
----
time->Sat Jul 11 10:41:50 2015
type=CONFIG_CHANGE msg=audit(1436629310.839:44713): auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove_rule" key="exetest_tree" list=4 res=1
----
Revision history:
v6: Explicitly declare prototypes as external.
Rename audit_dup_exe() to audit_dupe_exe() consistent with rule, watch, lsm_field.
Rebased on v4.1.
Rename audit_remove_mark_rule() called from audit_mark_handle_event() to
audit_autoremove_mark_rule() to avoid confusion with
audit_remove_{watch,tree}_rule() usage.
Add audit_remove_mark_rule() to provide similar interface as
audit_remove_{watch,tree}_rule().
Simplify stubs to defines.
Rename audit_free_fsnotify_mark() to audit_fsnotify_free_mark() in keeping with
the naming convention of inotify_free_mark(), dnotify_free_mark(),
fanotify_free_mark(), audit_watch_free_mark().
Return -ENOMEM rather than null in case of memory allocation failure for
audit_mark in audit_alloc_mark().
Rename audit_free_mark() to audit_mark_free() to avoid association with
{i,d,fa}notify_free_mark() and audit_watch_free_mark().
Clean up exe with similar interface as watch and tree.
Clean up audit exe mark just before audit_free_rule() rather than in it to
avoid mutex in software interrupt context.
Fixed bug in audit_dupe_exe() that returned error rather than valid pointer.
v5: Revert patch "Let audit_free_rule() take care of calling
audit_remove_mark()." since it caused a group mark deadlock.
https://www.redhat.com/archives/linux-audit/2014-October/msg00024.html
v4: Re-order and squash down fixups
Fix audit_dup_exe() to copy pathname string before calling audit_alloc_mark().
https://www.redhat.com/archives/linux-audit/2014-August/msg00065.html
v3: Rationalize and rename some function names and clean up get/put and free code.
Rename several "watch" references to "mark".
Rename audit_remove_rule() to audit_remove_mark_rule().
Let audit_free_rule() take care of calling audit_remove_mark().
Put audit_alloc_mark() arguments in same order as watch, tree and inode.
Move the access to the entry for audit_match_signal() to the beginning
of the function in case the entry found is the same one passed in.
This will enable it to be used by audit_remove_mark_rule().
https://www.redhat.com/archives/linux-audit/2014-July/msg00000.html
v2: Misguided attempt to add in audit_exe similar to watches
https://www.redhat.com/archives/linux-audit/2014-June/msg00066.html
v1.5: eparis' switch to fsnotify
https://www.redhat.com/archives/linux-audit/2014-May/msg00046.html
https://www.redhat.com/archives/linux-audit/2014-May/msg00066.html
v1: Change to path interface instead of inode
https://www.redhat.com/archives/linux-audit/2014-May/msg00017.html
v0: Peter Moodie's original patches
https://www.redhat.com/archives/linux-audit/2012-August/msg00033.html
Future step:
Get full-path notify working.
Eric Paris (1):
audit: implement audit by executable
Richard Guy Briggs (3):
audit: clean simple fsnotify implementation
audit: convert audit_exe to audit_fsnotify
audit: avoid double copying the audit_exe path string
include/linux/audit.h | 1 +
include/uapi/linux/audit.h | 2 +
kernel/Makefile | 2 +-
kernel/audit.h | 33 ++++++
kernel/audit_exe.c | 50 +++++++++
kernel/audit_fsnotify.c | 246 ++++++++++++++++++++++++++++++++++++++++++++
kernel/audit_tree.c | 2 +
kernel/audit_watch.c | 4 +
kernel/auditfilter.c | 63 +++++++++++-
kernel/auditsc.c | 16 +++
10 files changed, 415 insertions(+), 4 deletions(-)
create mode 100644 kernel/audit_exe.c
create mode 100644 kernel/audit_fsnotify.c
9 years, 3 months
auparse with AUSOURCE_DESCRIPTOR
by Satish Chandra Kilaru
Has anyone tried AUSOURCE_DESCRIPTOR with a unix socket as fd?
I am doing the following.
int sd_u = socket(AF_UNIX, SOCK_STREAM, 0);
connect(sd_u, (struct sockaddr *) &sa, sizeof(sa))!=0)
auparse_state_t *au = auparse_init(AUSOURCE_DESCRIPTOR, (const void *)sd_u);
auparse_add_callback(au, auparse_callback, event_cnt, free);
ausearch_next_event(au);
My auparse_callback() is not getting called. My program just blocks in
ausearch_next_event().
read(sd_u, buf, sizeof(buf)) gets me events... That means I am using
correct unix socket.
How do I make the callback function to get called for each event?
Am I missing something here?
Thanks in advance.
--Satish
--
Please Donate to www.wikipedia.org
9 years, 3 months
Getting events on unix socket
by Satish Chandra Kilaru
I would like to receive events on unix socket in binary format.
There is already another program that is reading events from unix socket in
string format.
I created another config file as below...
active = yes
direction = out
path = builtin_af_unix
type = builtin
args = 0640 /var/run/satish_events
format = binary
In my test program I am reading events from the socket
/var/run/satish_events
Surprisingly I see events in string format as well as binary format.
Is it by design or a bug?
--
Please Donate to www.wikipedia.org
9 years, 3 months
audit releases in recent RHEL releases (eg 6 and 7)
by Burn Alting
All,
I know this more a question for Red Hat, but before I approach my local
Red Hat rep, does anyone on the list know why RHEL6 only implements up
to a version of 2.3.7 yet RHEL7 goes up to a version of 2.4.1.
Basically, I want to know if RHEL6 can accept some elements from the
2.4[.0] release if I ask really really reeeeeeeeeally nicely.
Rgds
9 years, 3 months
Using audit as extended inotify
by Tyler Hardin
I want to monitor file and directory creation, modification, and deletion
on some large subtrees (/etc/, /usr/share/, and ~/.config/). And I want the
name of the executable that caused the event. The purpose will be to
facilitate cruft detection and removal.
Can audit do this? Will using it to do this with such large subtrees become
a performance issue?
9 years, 3 months
RE: Audit Class Lab
by Maupertuis Philippe
Hi,
A little off topic, but maybe the answer is known.
is there a similar event to 2015 Defense in Depth in Europe.
I would have a hard time to get approval for a one day session in the US.
Regards
Philippe
-----Message d'origine-----
De : linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de linux-audit-request(a)redhat.com
Envoyé : lundi 27 juillet 2015 18:00
À : linux-audit(a)redhat.com
Objet : Linux-audit Digest, Vol 130, Issue 18
Send Linux-audit mailing list submissions to
linux-audit(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request(a)redhat.com
You can reach the person managing the list at
linux-audit-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. Re: FTBFS with clang instead of gcc (Zbigniew J?drzejewski-Szmek)
2. Re: Audit class/lab (Steve Grubb)
----------------------------------------------------------------------
Message: 1
Date: Sun, 26 Jul 2015 21:49:50 +0000
From: Zbigniew J?drzejewski-Szmek <zbyszek(a)in.waw.pl>
To: Laurent Bigonville <bigon(a)debian.org>
Cc: linux-audit(a)redhat.com, 787066-forwarded(a)bugs.debian.org
Subject: Re: FTBFS with clang instead of gcc
Message-ID: <20150726214950.GC27014(a)in.waw.pl>
Content-Type: text/plain; charset=us-ascii
On Sun, Jul 26, 2015 at 03:58:44PM +0200, Laurent Bigonville wrote:
> Hi,
>
> Apparently audit is FTBFS with clang due to the embedded version of
> libev with the following error (see: [0]):
>
> ../../../../src/libev/ev.c:970:42: error: '_Noreturn' keyword must
> precede function declarator
>
> The bug[0] provides a patch. I don't think this has been fixed
> upstream yet. There was however a small thread [1] about this on
> upstream ML.
>
> Not sure what's the policy regarding patching embedded copy of libev.
The policy is to kill the embedded copy as soon as possible.
Seems like a good time to do that.
Zbyszek
------------------------------
Message: 2
Date: Mon, 27 Jul 2015 09:35:56 -0400
From: Steve Grubb <sgrubb(a)redhat.com>
To: burn(a)swtf.dyndns.org
Cc: "linux-audit(a)redhat.com" <linux-audit(a)redhat.com>
Subject: Re: Audit class/lab
Message-ID: <15980868.FdKdW6R9DX@x2>
Content-Type: text/plain; charset="us-ascii"
On Saturday, July 25, 2015 08:39:22 AM Burn Alting wrote:
> Steve,
>
> The agenda infers that to attend a lab, you must bring a wifi-capable
> laptop with an SSH client installed.
>
> Is this a requirement for your lab or just the Applied SCAP Lab?
Its not my requirement. However, since it will be about Linux auditing and people are requested to have a laptop with a linux image available, ssh client should be there. Again, no plans for ssh right now.
-Steve
> On Thu, 2015-07-16 at 14:12 -0400, Steve Grubb wrote:
> > On Thursday, July 16, 2015 05:03:26 PM Smith, Gary R wrote:
> > > Any chance that your presentation would get recorded for later
> > > viewing by those of us who have no budget for travel at the end of
> > > the fiscal year?
> >
> > This presentation will not be recorded. Slides will be available. I
> > might do something separately from this conference so that there's
> > something people can watch. But I expect the lab to be interactive
> > where people can say, "We have these requirements, what would be the best way to do it?"
> > And sometimes, there isn't a best way and I take notes to look into
> > it more deeply.
> >
> > -Steve
> >
> > > On 07/15/2015 03:22 PM, Steve Grubb wrote:
> > > > Hello,
> > > >
> > > > I normally don't put the word out about speeches I give, or
> > > > things like that. But I am going to be teaching a hands-on audit
> > > > class to demonstrate how to configure, setup rules, and do
> > > > searching and reporting using the native linux audit tools.
> > > >
> > > > The lab will be part of the Defence in Depth conference in
> > > > Washington (Tyson's Cormers, VA) on Sept 1. Its free, you just have to register.
> > > > More info:
> > > >
> > > > http://www.redhat.com/en/about/events/2015-defense-depth
> > > >
> > > > I will be going over new features that aids insider threat
> > > > detection and signs of intrusion in addition to basics. Bring
> > > > your questions and problems, let's talk.
> > > >
> > > > -Steve
> > > >
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit(a)redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> > --
> > Linux-audit mailing list
> > Linux-audit(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
------------------------------
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 130, Issue 18
********************************************
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
9 years, 3 months