12:54 p.m.
I’ve noticed that the httpd process on a CentOS 7.7 system I am working with is running
with an Audit ID of -1. Example ID values are:
auid=4294967295
uid=48
gid=48
...
So if use the standard filter "-F auid!=-1” in the audit rules I do not see httpd
activity.
Is this common?
How do I change the auid to something else, so I can capture the httpd activity in the
audit log?
Example audit line:
type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2 success=yes exit=15
a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1 ppid=1130 pid=1253 auid=4294967295
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd" exe="/usr/sbin/httpd" key=(null)
Thanks,
Todd
1:29 p.m.
On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
I’ve noticed that the httpd process on a CentOS 7.7 system I am
working
with is running with an Audit ID of -1. Example ID values are:
auid=4294967295
uid=48
gid=48
...
So if use the standard filter "-F auid!=-1” in the audit rules I do not see
httpd activity.
Is this common?
Yes, this is common. Most people are interested in the actions that people
take on the machine rather than normal system functioning.
How do I change the auid to something else, so I can capture the
httpd
activity in the audit log?
A couple of ways.
1) remove the auid!=-1. That will get you all daemons.
2) Use audit by executable rules:
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec
-Steve
Example audit line:
type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" key=(null)
1:47 p.m.
Thanks!
This has some interesting implications regarding attackers coming in through a
vulnerability in an organization's web services. I’ll have to compare what relevant
information I can capture in the audit logs vs. what is captured in web server logs.
Todd
On Jul 30, 2020, at 11:29 AM, Steve Grubb <sgrubb(a)redhat.com>
wrote:
On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
> with is running with an Audit ID of -1. Example ID values are:
>
> auid=4294967295
> uid=48
> gid=48
> ...
>
> So if use the standard filter "-F auid!=-1” in the audit rules I do not see
> httpd activity.
>
> Is this common?
Yes, this is common. Most people are interested in the actions that people
take on the machine rather than normal system functioning.
> How do I change the auid to something else, so I can capture the httpd
> activity in the audit log?
A couple of ways.
1) remove the auid!=-1. That will get you all daemons.
2) Use audit by executable rules:
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec
-Steve
> Example audit line:
>
> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd" key=(null)
4:41 p.m.
On Thursday, July 30, 2020 2:47:05 PM EDT Todd Heberlein wrote:
Thanks!
This has some interesting implications regarding attackers coming in
through a vulnerability in an organization's web services. I’ll have to
compare what relevant information I can capture in the audit logs vs. what
is captured in web server logs.
The audit rules are designed to common criteria, STIG, PCI-DS, etc. To date,
no one has articulated any rules that need to be written against any server.
The rule naming scheme recognizes that may be a possibility and set aside
rules that start with 50- specifically for server rules. But with some many
daemons, where to start? And what to monitor?
If you are thinking about intrusion detection, then I have been working on
that problem for a while. There are specific rules that detect specific
actions. But unless you've thought of everything, there is always a hole.
Once they get inside, they probably want to do recon to see what they have to
work with.
-a always,exit -F perm=x -F path=/usr/bin/uname -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/rpm -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/yum -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/dnf -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/w -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/who -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/whoami -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/id -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/netstat -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/ss -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/route -F key=ids-recon
...etc.
But then they might want to use a tool downloaded to escalate. You might be
able to detect them making it executable:
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/home -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/home -F a2&0111 -F filetype=file
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/tmp -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/tmp -F a2&0111 -F filetype=file
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/var/tmp -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/var/tmp -F a2&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/dev/shm -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/dev/shm -F a2&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
There's a lot of rules to add. And this will get noisy because many system
scripts do things that look like recon. Update looks like mkexec.
What I'd recommend is also looking at something like fapolicyd to prevent
execution of any downloaded tools. That will give a bigger signal to noise
ratio that trying to craft some audit rules. Because ultimately, audit can
tell you something was executed. It can't tell you the software doesn't
belong on the system.
-Steve
> On Jul 30, 2020, at 11:29 AM, Steve Grubb
<sgrubb(a)redhat.com> wrote:
>
> On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
>> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
>>
>> with is running with an Audit ID of -1. Example ID values are:
>> auid=4294967295
>> uid=48
>> gid=48
>> ...
>>
>> So if use the standard filter "-F auid!=-1” in the audit rules I do not
>> see httpd activity.
>>
>> Is this common?
>
> Yes, this is common. Most people are interested in the actions that
> people
> take on the machine rather than normal system functioning.
>
>> How do I change the auid to something else, so I can capture the httpd
>> activity in the audit log?
>
> A couple of ways.
> 1) remove the auid!=-1. That will get you all daemons.
> 2) Use audit by executable rules:
> -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F
> key=httpd-exec
>
> -Steve
>
>> Example audit line:
>>
>> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
>> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720
>> items=1
>> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48
>> fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
>> exe="/usr/sbin/httpd" key=(null)
1605
days inactive
1605
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
Steve Grubb -
Todd Heberlein