Re: AuditRule Questions
Steve,
On Tuesday, January 19, 2021, 11:57:03 AM EST, Steve Grubb <sgrubb(a)redhat.com>
wrote:
On Tuesday, January 19, 2021 8:15:33 AM EST Joe Wulf wrote:
> 1. In audit rules 2.8.5 (front portion of the rules):> > > > ##
Unsuccessful file access (any other opens) This has to go last.> > -a always,exit -F
arch=b32 -S> > open,creat,truncate,ftruncate,openat,open_by_handle_at -F
exit=-EACCES-a> > always,exit -F arch=b64 -S> >
open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES-a> >
always,exit -F arch=b32 -S> > open,creat,truncate,ftruncate,openat,open_by_handle_at
-F exit=-EPERM-a> > always,exit -F arch=b64 -S> >
open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM> > Whereas in
audit rules 3.0, the same portion of the same rules looks like:> > -a always,exit -F
arch=b32 -S> > open,creat,truncate,ftruncate,openat,open_by_handle_at -F
exit=-EACCES-a> > always,exit -F arch=b32 -S> >
open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM-a> >
always,exit -F arch=b64 -S> > open,truncate,ftruncate,creat,openat,open_by_handle_at
-F exit=-EACCES-a> > always,exit -F arch=b64 -S> >
open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM> > > >
The ordering of the syscalls differs between the two, as well as the> > sequential
order of the rules themselves. I better understand that the> > first audit-rule
matched 'wins'.- Please help me understand the reason> > for the change in
sequence, but also for the change in the order of the> > syscalls (i.e. between
2.8.5 and 3.0).> > There were several 3.0 alpha releases. I'm not sure which one
you are calling > 3.0. Because I can't find an exact match. Based on the text
above, I do not > see the syscall ordering changed at all. The only thing that I see is
in > 2.8.5 they are grouped by exit code whereas 3.0 is grouped by arch. Since >
this group of rules all have the same key, they are working as a team. That > means
that what matters is the placement of this group of rules relative to > other groups of
rules is what matters. In both cases a syscall can ever only > match one of them - the
exit code either is or isn't EPERM, it either is or > isn't b32.>
<snip>>
-Steve
Steve,
Thank you for the wealth of feedback. All very useful. Thank you.
I pulled v3.0 of the audit rules out of RHEL 8.3.
In the sections I referenced, for v2.8.5 the syscalls for b64 are in the order
of:open,create,truncate,ftruncate .....
in v3.0, they are in the order of:open,truncate,ftruncate,create ....
Since, as you say above, the audit rule can only ever match one syscal.... I'm now
understanding the actual order of the syscall's is no longer relevant on such lines
(from an auditing perspective)?
In general for a any given system being run and audited by either set of rules, the end
result I suspect would be the same.The challenge could come in when certain vulnerability
tools assess the system, and do so by seeking an exact match of rule syntax.
Thank you.
R,-Joe Wulf
Attachments:
- attachment.html (text/html — 5.7 KB)