On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
I was specifically wondering if I was missing the appropriate
syscall
for the use of setuid or setgid.
From a brief examination and test, this appears to not be the case?
There are a couple ways to do this. One is using the find method. However, that
does not take into account file system based capabilities. In the lab I taught
this week, the rules generator also included this:
filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x
-
F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x
-F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
But, if all you want is setuid, then you can use a rule like this instead of
file watches:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0
-Steve
On 09/02/2015 10:32 PM, rshaw1(a)umbc.edu wrote:
>> I'm currently testing auditd with rules for setuid or setgid binaries on
>> the system.
>>
>> I currently maintain the list via find, and pushing the results to a
>> audit.rules file.
>>
>> I'm hoping there's a cleaner way, perhaps by triggering on the
>> appropriate syscall -- but have not discovered it.
>>
>> Is there an easier method?
>
> The find method is what I use (though I push it to a file in rules.d and
> then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using
> find to generate these rules is actually in the text of, IIRC, at least
> one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> automated as the way I do it.
>
> --Ray
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit