Re: Question on the unset user in audit

On Tuesday, November 05, 2013 10:19:23 PM Burn Alting wrote: > All, > > I have seen some audit.rules that ignore ALL events involving auid being > the unset user ie a rule segment of > > -F auid!=4294967295 > > What are the possible risks of excluding recording events from the unset > auid? Especially since I believe root could override the auid by writing > to /proc/self/loginuid. In talking with agencies like DISA, what they wanted is to identify events originating from users as opposed to normal "system" activities. Meaning that if during startup disks are mounted, its an uninteresting event because its normal startup activity. However, if there is an associated auid >= 500, then its user originating and of interest. Should an admin change their auid, there will be an audit event recording that fact. That said, Linux is not designed in any way to guard against a malicious admin. One of the assumptions in Common Criteria is A.NO_EVIL_ADMIN and there are training clauses. But there are some steps that can be taken. On newer kernels there is the object comparator commands '-C' where you can detect abuses of power such as an admin accessing a user's home directory. If you are really wanting to use the audit system to even detect signs of compromise, then you can to some extent. You can see apps crashing, you can imagine SE Linux as a defined behavior of applications so that AVC's represent attempts at intrusion, you can also see other attempted changes to the system such as installing executables. But I think at some point the system may be compromised to the point that you can't detect it from the host, you have to have external monitoring and look for suspicious behavior outside the system. Not sure if that was the direction you were going with your question. :-) -Steve