Hoping this is the right place to get help configuring auditd(laus) on Red Hat. I have 4 high security systems that I need to allow a new employee root access to. I would like to see everything that is done by root or any other users/processes, however the only thing I can seem to get it to do is tell me when my cronjobs, the sa stuff runs and login info. ############################################# filesets.conf: # Set of files for which we track read access. # set secret-files = { "/etc", "/bin", }; ############################################# filter.conf: # Various primitive predicates predicate is-null = eq(0); predicate is-negative = lt(0); predicate is-system-uid = lt(100); predicate is-lower-1024 = lt(-1024); # # Predicate to check open(2) mode: true iff # (mode & O_ACCMODE) == O_RDONLY predicate is-rdonly = mask(O_ACCMODE, O_RDONLY); # # Predicates for testing file type, valid when applied # to a file type argument predicate __isreg = mask(S_IFMT, S_IFREG); predicate __isdir = mask(S_IFMT, S_IFDIR); predicate __ischr = mask(S_IFMT, S_IFCHR); predicate __isblk = mask(S_IFMT, S_IFBLK); predicate __issock = mask(S_IFMT, S_IFSOCK); predicate __islnk = mask(S_IFMT, S_IFLNK); predicate s_isreg = __isreg(file-mode); predicate s_isdir = __isdir(file-mode); predicate s_ischr = __ischr(file-mode); predicate s_isblk = __isblk(file-mode); predicate s_issock = __issock(file-mode); predicate s_islnk = __islnk(file-mode); predicate is-tempdir = mask(01777, 01777); predicate is-world-writable = mask(0666, 0666); # # Predicates dealing with process exit code predicate if-crash-signal = !mask(__WSIGMASK, 0) && (mask(__WSIGMASK, __WSIGILL) || mask(__WSIGMASK, __WSIGABRT) || mask(__WSIGMASK, __WSIGSEGV) || mask(__WSIGMASK, __WSIGSTKFLT)); # # Predicates for audit-tags predicate is-o-creat = mask(O_CREAT, O_CREAT); predicate is-ipc-remove = eq(IPC_RMID); predicate is-ipc-setperms = eq(IPC_SET); predicate is-ipc-creat = mask(IPC_CREAT, IPC_CREAT); predicate is-auditdevice = prefix("/dev/audit"); predicate is-cmd-set-auditid = eq(AUIOCSETAUDITID); predicate is-cmd-set-loginid = eq(AUIOCLOGIN); # # Misc filters filter is-root = is-null(uid); filter is-setuid = is-null(dumpable); filter syscall-failed = is-negative(result); filter syscall-addr-succeed = is-lower-1024(result); predicate is-af-packet = eq(AF_PACKET); predicate is-af-netlink = eq(AF_NETLINK); predicate is-sock-raw = eq(SOCK_RAW); # # Include filesets. # include "filesets.conf"; # # "Secret" files should not be read by everyone - # we also log read access to these files # predicate is-secret = prefix(@secret-files); # # All regular files owned by a system uid are deemed sensitive # predicate is-system-file = is-system-uid(file-uid) && !prefix("/var") && !is-world-writable(file-mode); # # Define ioctls we track # set sysconf-ioctls = { SIOCADDDLCI, SIOCADDMULTI, SIOCADDRT, SIOCBONDCHANGEACTIVE, SIOCBONDENSLAVE, SIOCBONDRELEASE, SIOCBONDSETHWADDR, SIOCDARP, SIOCDELDLCI, SIOCDELMULTI, SIOCDELRT, SIOCDIFADDR, SIOCDRARP, SIOCETHTOOL, SIOCGIFBR, SIOCSARP, SIOCSIFADDR, SIOCSIFBR, SIOCSIFBRDADDR, SIOCSIFDSTADDR, SIOCSIFENCAP, SIOCSIFFLAGS, SIOCSIFHWADDR, SIOCSIFHWBROADCAST, SIOCSIFLINK, SIOCSIFMAP, SIOCSIFMEM, SIOCSIFMETRIC, SIOCSIFMTU, SIOCSIFNAME, SIOCSIFNETMASK, SIOCSIFPFLAGS, SIOCSIFSLAVE, SIOCSIFTXQLEN, SIOCSMIIREG }; predicate is-sysconf-ioctl = eq(@sysconf-ioctls); # # System calls on file names # set file-ops = { "mkdir", "rmdir", "unlink", "chmod", "chown", "lchown", "chown32", "lchown32", }; # # General system related ops # set system-ops = { swapon, swapoff, create_module, init_module, delete_module, sethostname, setdomainname, }; set priv-ops = { "setuid", "setuid32", "seteuid", "seteuid32", "setreuid", "setreuid32", "setresuid", "setresuid32", "setgid", "setgid32", "setegid", "setegid32", "setregid", "setregid32", "setresgid", "setresgid32", "setgroups", "setgroups32", "capset", }; # # Audit-Tags (only syscall related tags are handled here) # # define sets of syscalls related to audit-tags # System calls for changing file modes set mode-ops = { "chmod", "fchmod", }; # System calls for changing file owner set owner-ops = { "chown", "lchown", "chown32", "lchown32", "fchown", }; # System calls doing file link operations set link-ops = { "link", "symlink", }; # System calls for creating device files set mknod-ops = { "mknod", }; # System calls for opening a file set open-ops = { "open", }; # File renaming set rename-ops = { "rename", }; # File truncation set truncate-ops = { "truncate", "truncate64", "ftruncate", "ftruncate64", }; # Unlink files set unlink-ops = { "unlink", }; # Deletion of directories set rmdir-ops = { "rmdir", }; # Mounting of filesystems set mount-ops = { "mount", }; # Unounting of filesystems set umount-ops = { "umount", "umount2" }; # Changing user (-role) set userchange-ops = { "setuid", "setuid32", "seteuid", "seteuid32", "setreuid", "setreuid32", "setresuid", "setresuid32", }; # Execute another program set execute-ops = { "execve", }; # Set real user-ID set realuid-ops = { "setuid", "setuid32", }; # Set user-IDS in gerneral set setuserids-ops = { "setuid", "setuid32", "seteuid", "seteuid32", "setreuid", "setreuid32", "setresuid", "setresuid32", }; # Set real group-ID set realgid-ops = { "setgid", "setgid32", "setgroups", "setgroups32", }; # Set group-IDs in gerneral set setgroups-ops = { "setgid", "setgid32", "setegid", "setegid32", "setregid", "setregid32", "setresgid", "setresgid32", "setgroups", "setgroups32", }; # Set other kind of privileges (capabilities) set privilege-ops = { "capset", }; # Change system-time set timechange-ops = { "adjtimex", "stime", "settimeofday", }; # bring sets and tags in conjunction tag "FILE_mode" syscall @mode-ops = always; tag "FILE_owner" syscall @owner-ops = always; tag "FILE_link" syscall @link-ops = always; tag "FILE_mknod" syscall @mknod-ops = always; tag "FILE_create" syscall open = is-o-creat(arg1); tag "FILE_create" syscall creat = always; #tag "FILE_open" #syscall @open-ops = always; tag "FILE_open" syscall @open-ops = (is-system-file(arg0) && !(is-rdonly(arg1))) || is-secret(arg0); tag "FILE_rename" syscall @rename-ops = always; tag "FILE_truncate" syscall @truncate-ops = always; tag "FILE_unlink" syscall @unlink-ops = always; tag "FS_rmdir" syscall @rmdir-ops = always; tag "FS_mount" syscall @mount-ops = always; tag "FS_umount" syscall @umount-ops = always; # I think owner changing doesnt make much sense tag "MSG_owner" syscall msgctl = is-ipc-setperms(arg1); tag "MSG_mode" syscall msgctl = is-ipc-setperms(arg1); tag "MSG_delete" syscall msgctl = is-ipc-remove(arg1); tag "MSG_create" syscall msgget = always; tag "SEM_owner" syscall semctl = is-ipc-setperms(arg2); tag "SEM_mode" syscall semctl = is-ipc-setperms(arg2); tag "SEM_delete" syscall semctl = is-ipc-remove(arg2); tag "SEM_create" syscall semget = always; tag "SHM_owner" syscall shmctl = is-ipc-setperms(arg1); tag "SHM_mode" syscall shmctl = is-ipc-setperms(arg1); tag "SHM_delete" syscall shmctl = is-ipc-remove(arg1); tag "SHM_create" syscall shmget = always; tag "PRIV_userchange" syscall @userchange-ops = always; tag "PROC_execute" syscall @execute-ops = always; tag "PROC_realuid" syscall @realuid-ops = always; tag "PROC_auditid" syscall ioctl = (is-auditdevice(arg0) && is-cmd-set-auditid(arg1)); tag "PROC_loginid" syscall ioctl = (is-auditdevice(arg0) && is-cmd-set-loginid(arg1)); tag "PROC_setuserids" syscall @setuserids-ops = always; tag "PROC_realgid" syscall @realgid-ops = always; tag "PROC_setgroups" syscall @setgroups-ops = always; tag "PROC_privilege" syscall @privilege-ops = always; tag "SYS_timechange" syscall @timechange-ops = always; # not required by CAPP syscall ipc = always; syscall socket = is-af-packet(arg0) || is-sock-raw(arg1); syscall ioctl = is-sysconf-ioctl(arg1); # # Special filters for process/termination event process-exit = if-crash-signal(exitcode); # # Events we want to log unconditionally: event network-config = always; event user-message = always; event process-login = always; # Custom predicate is-root = prefix(/bin); syscall execve = is-root(arg0); ############################################# Thanks Gene Dellinger