4:01 a.m.
Hi,
Like many, we are using aide and clamav.
I woud like to have an audit record when these program are run but no records for what
they are doing.
I mean, I want to know that clamscan or aide has been launched but not that it checks say
/etc/passwd whatever rules could be in place for /etc/passwd
Thanks
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group
through its holding company.
This e-mail and the documents attached are confidential and intended solely for the
addressee. If you receive this e-mail in error, you are not authorized to copy, disclose,
use or retain it. Please notify the sender immediately and delete this email from your
systems. As emails may be intercepted, amended or lost, they are not secure.
EquensWorldline and the Worldline Group therefore can accept no liability for any errors
or their content. Although equensWorldline and the Worldline Group endeavours to maintain
a virus-free network, we do not warrant that this transmission is virus-free and can
accept no liability for any damages resulting from any virus transmitted. The risks are
deemed to be accepted by everyone who communicates with equensWorldline and the Worldline
Group by email
7:53 a.m.
On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE wrote:
Like many, we are using aide and clamav.
I woud like to have an audit record when these program are run but no
records for what they are doing. I mean, I want to know that clamscan or
aide has been launched but not that it checks say /etc/passwd whatever
rules could be in place for /etc/passwd
Then all you need to do is place a watch on them.
-a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
-Steve
10:35 a.m.
Objet : Re: Auditing a program use but not what it is doing
On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE
wrote:
> Like many, we are using aide and clamav.
> I woud like to have an audit record when these program are run but no
> records for what they are doing. I mean, I want to know that clamscan or
> aide has been launched but not that it checks say /etc/passwd whatever
> rules could be in place for /etc/passwd
Then all you need to do is place a watch on them.
-a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
Just to be sure
to understand how it works :
If we have two rules in that order :
-a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x -F key=aide_run
-a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts
When running aide :
- the first rule produces a message
- the second rule is ignored
Philippe
equensWorldline is a registered trade mark and trading name owned by the Worldline Group
through its holding company.
This e-mail and the documents attached are confidential and intended solely for the
addressee. If you receive this e-mail in error, you are not authorized to copy, disclose,
use or retain it. Please notify the sender immediately and delete this email from your
systems. As emails may be intercepted, amended or lost, they are not secure.
EquensWorldline and the Worldline Group therefore can accept no liability for any errors
or their content. Although equensWorldline and the Worldline Group endeavours to maintain
a virus-free network, we do not warrant that this transmission is virus-free and can
accept no liability for any damages resulting from any virus transmitted. The risks are
deemed to be accepted by everyone who communicates with equensWorldline and the Worldline
Group by email
10:55 a.m.
On Thursday, February 13, 2020 11:35:46 AM EST MAUPERTUIS, PHILIPPE wrote:
> Objet : Re: Auditing a program use but not what it is doing
>
> On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE
>
> wrote:
> > Like many, we are using aide and clamav.
> > I woud like to have an audit record when these program are run but no
> > records for what they are doing. I mean, I want to know that clamscan
> > or
> > aide has been launched but not that it checks say /etc/passwd whatever
> > rules could be in place for /etc/passwd
>
> Then all you need to do is place a watch on them.
>
> -a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
Just to be sure to understand how it works :
If we have two rules in that order :
-a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x -F key=aide_run
The exe option is to audit syscalls by a specific application. For example,
you might want to use it to see what IP address and application connects to.
-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F
exe=/usr/bin/bash
To place a _watch_ on a file, you use the path option with permission of
executable. The rule above should be:
-a always,exit -F path=/usr/sbin/aide -F perm=x -F key=aide_run
There should be other examples like this in the shipped rules.
-a always,exit -F path=/etc/passwd -F perm=wa -F
key=10.2.5.c-accounts
This will create an event whenever an application writes to or changes
permissions of passwd. Try running adduser or chmod it.
When running aide :
- the first rule produces a message
- the second rule is ignored
It would only trigger on a write/permission change.
-Steve
1773
days inactive
1774
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
MAUPERTUIS, PHILIPPE -
Steve Grubb