3:57 p.m.
Hello all,
I am trying to add the following functionality to auditd (via audit.rules) using
the following rules, but the rules don't work on my RHEL ES 4 system (fully
patched). Could someone look at them and tell me what I am doing wrong, or where
I can read how to do it right?
1)
# Ensures that any reads of the audit log by the current user that's logged is
# audited. It might be beneficial to create a rule for each of the 5 logs
# that are generated.
RULE:
-w /var/log/audit/audit.log -p r -F auid=-1
ERROR:
List must be given before field
2)
# Ensures that any user who mounts or unmounts a device is audited
RULE:
-a exit,always -S mount -S umount
ERROR:
Syscall name unknown: umount
3)
# ensures auditing whenever the reboot command is sent to the kernel
RULE:
-a always,entry -S socketcall -F a0=13
ERROR:
Syscall name unknown: socketcall
4)
# Ensures auditing of any unauthorized access to roots home directory.
RULE:
-w /root -p rw -F uid!=0
ERROR:
List must be given before field
5)
#Ensure that failed use of the following system calls is audited
RULE:
-a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0 -F
auid=-1 -F auid=0
ERROR:
Syscall name unknown: stime
TIA,
Bill Tangren
4:15 p.m.
On Monday 29 January 2007 16:57, Bill Tangren wrote:
1)
# Ensures that any reads of the audit log by the current user that's logged
is # audited. It might be beneficial to create a rule for each of the 5
logs # that are generated.
RULE:
-w /var/log/audit/audit.log -p r -F auid=-1
On RHEL4, syscall auditing and file system auditing cannot be mixed on the
same line. Watches can only take -p & -k parameters.
2)
# Ensures that any user who mounts or unmounts a device is audited
RULE:
-a exit,always -S mount -S umount
Are you on x86_64? If so, you should use umount2. I believe this is documented
in capp.rules.
3)
# ensures auditing whenever the reboot command is sent to the kernel
RULE:
-a always,entry -S socketcall -F a0=13
x86_64? If so use the syscall, shutdown. (offhand, I don't know why you would
need to audit shutdown.)
4)
# Ensures auditing of any unauthorized access to roots home directory.
RULE:
-w /root -p rw -F uid!=0
see #1 above
5)
#Ensure that failed use of the following system calls is audited
RULE:
-a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0
-F auid=-1 -F auid=0
stime is valid on i386. maybe settimeofday?
-Steve
4:33 p.m.
Steve Grubb wrote:
On Monday 29 January 2007 16:57, Bill Tangren wrote:
> 1)
> # Ensures that any reads of the audit log by the current user that's logged
> is # audited. It might be beneficial to create a rule for each of the 5
> logs # that are generated.
>
> RULE:
> -w /var/log/audit/audit.log -p r -F auid=-1
This is in the capp.rules too.
On RHEL4, syscall auditing and file system auditing cannot be mixed on the
same line. Watches can only take -p & -k parameters.
> 2)
> # Ensures that any user who mounts or unmounts a device is audited
>
> RULE:
> -a exit,always -S mount -S umount
Are you on x86_64? If so, you should use umount2. I believe this is documented
in capp.rules.
Yes, x86_64. I missed this one in capp.rules. Damn.
> 3)
> # ensures auditing whenever the reboot command is sent to the kernel
>
> RULE:
> -a always,entry -S socketcall -F a0=13
x86_64? If so use the syscall, shutdown. (offhand, I don't know why you would
need to audit shutdown.)
> 4)
> # Ensures auditing of any unauthorized access to roots home directory.
>
> RULE:
> -w /root -p rw -F uid!=0
I'll have to think some more about how to do this one.
see #1 above
> 5)
> #Ensure that failed use of the following system calls is audited
>
> RULE:
> -a exit,always -S quotactl -S mount -S stime -S kill -S chroot -F success=0
> -F auid=-1 -F auid=0
stime is valid on i386. maybe settimeofday?
Yes, settimeofday worked.
-Steve
Thanks, Steve.
6536
days inactive
6536
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Bill Tangren -
Steve Grubb