Re: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
HI Paul,
Thank you for the quick response.
I am rusty on linux and I might be confused.
The question is, can I directly call any of those
(setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) directly from the
command line, or they need to be a part of a script.
Is it possible that those are not installed in cbl-mariner? I would say so but I cannot
find a package available in mariner github. The only thing I found similar is “attr”, but
using it as a rule instead of lets say setxattr it wont even register as a rule.
Any attempt to run the setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr)
returns “command not found”
How can I repro those rules without being able to use the commands to modify a
file/directory?
Regards.
AlexT
From: Paul Moore <paul(a)paul-moore.com>
Date: Thursday, May 19, 2022 at 12:46 PM
To: Alex Triantafillidis (DESIGN LABORATORY INC) <v-alextri(a)microsoft.com>
Cc: linux-audit(a)redhat.com <linux-audit(a)redhat.com>
Subject: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
[You don't often get email from paul(a)paul-moore.com. Learn why this is important at
https://aka.ms/LearnAboutSenderIdentification.]<https://aka.ms/LearnAb...
On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN
LABORATORY INC) <v-alextri(a)microsoft.com> wrote:
Hello Audit,
I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
I am following this guide.
Record Events that Modify the System's Discretionary Access Controls Group contains
13 rules
[ref] At a minimum, the audit system should collect file permission changes for all
users and root. Note that the "-F arch=b32" lines should be present even on a 64
bit system. These commands identify system calls for auditing. Even if the system is 64
bit it can still execute 32 bit system calls. Additionally, these rules can be configured
in a number of ways while still achieving the desired effect. An example of this is that
the "-S" calls could be split up and placed on separate lines, however, this is
less efficient. Add the following to /etc/audit/audit.rules:
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F
key=perm_mod
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F
auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S
setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F
auid!=unset -F key=perm_mod
If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced
with arch=b64 as follows:
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F
key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F
auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S
setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F
auid!=unset -F key=perm_mod
Thing is I get error to any of
setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.
bash: setxattr: command not found
Hi Alex,
Are you trying to execute the /etc/audit/audit.rules file directly
(like it was a bash script)? I'm asking because the error you are
getting makes it look like bash is trying to execute a program named
"setxattr" which isn't going to work; the lines in audit.rules are
intended to be passed as command line arguments to auditctl. Look at
the augenrules script (repo link below) and the auditctl '-R' option.
*
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub....
--
paul-moore.com
Attachments:
- attachment.html (text/html — 7.3 KB)