3:28 p.m.
Hello,
I need to log file edit attempts when a user doesn't have permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## unauthorized change directory (cd)
-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
## Watch Files
-w /var/log/audit/audit.log -p rwxa -k audit-log2
Thanks
-Jim
4:19 p.m.
On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
I need to log file edit attempts when a user doesn't have
permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
Have you looked at the latest nispom.rules file in the audit package? I have a
set of rules that should meet NISPOM requirements. If it doesn't I'd like to
know what is wrong with it so we can fix it. This set of rules looks similar
to it, but there are differences. The main difference is adding -F arch= to
each syscall rule to make sure the numbers are correct.
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation
-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## unauthorized change directory (cd)
-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
:)
## Watch Files
-w /var/log/audit/audit.log -p rwxa -k audit-log2
This rule only watches one file. There could be more. You might want a rule
like:
-w /var/log/audit -k audit-logs
-Steve
9 a.m.
Can these rules apply to RHEL4 or just RHEL5? I, too, have to create a
NISPOM compliant network and have written scripts to do so. However, I am
just exploring the audit.rules settings in RHEL and wanted to know if these
changes are particular to a specific version of Red Hat.
Thanks!
Starr
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Steve Grubb
Sent: Thursday, May 22, 2008 4:20 PM
To: linux-audit(a)redhat.com
Subject: Re: NISPOM Auditing
On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
I need to log file edit attempts when a user doesn't have
permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
Have you looked at the latest nispom.rules file in the audit package? I have
a
set of rules that should meet NISPOM requirements. If it doesn't I'd like to
know what is wrong with it so we can fix it. This set of rules looks similar
to it, but there are differences. The main difference is adding -F arch= to
each syscall rule to make sure the numbers are correct.
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation
-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## unauthorized change directory (cd)
-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
:)
## Watch Files
-w /var/log/audit/audit.log -p rwxa -k audit-log2
This rule only watches one file. There could be more. You might want a rule
like:
-w /var/log/audit -k audit-logs
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
9:19 a.m.
On Tuesday 27 May 2008 10:00:19 corbin wrote:
Can these rules apply to RHEL4 or just RHEL5?
The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4
did. It also has more options in auditctl & kernel to make rules capture just
the required data. Some things you simply can't express in RHEL4. For
example, the ability to audit only users (auid>=500) rather than everything
including daemons. For RHEL4, you can get everything required for NISPOM, but
you depend more on the reduction tools and eat more disk space doing so.
However, I am just exploring the audit.rules settings in RHEL and
wanted to
know if these changes are particular to a specific version of Red Hat.
I believe that RHEL4 has a nispom.rules file also. It has not be updated in
quite a while, but it should be a good starting point. It probably needs
updating for arch=b32 and 64 so that biarch machines get the right syscalls
being audited.
-Steve
6052
days inactive
6057
days old
linux-audit@lists.linux-audit.osci.io
3 comments
3 participants
participants (3)
-
corbin -
Mathis, Jim -
Steve Grubb