Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to lock down a server using audit.rules. I intend to use ausearch to review certain entries from time to time. I noticed that it's possible to assign a "key" to each rule and then use `ausearch -k` to show only the records that have that key.
Unfortunately, the key feature seems broken. I started with the following rule in audit.rules:
Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
I do a `cat /etc/shadow` and a `ausearch -ts today -k deny` and it seems all went well. Now, I want a special key for /etc/shadow, so I added a new rule:
Code:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F path=/etc/shadow -k shadow
I restarted auditd and did a `cat /etc/shadow` and a `ausearch -ts today -k shadow`. The new record did not show up. When doing a `ausearch -ts today`, I found that the key for the new record is still "deny" not "shadow" as I expected. I tried putting the "shadow" rule before and after the "deny" rule, and it didn't help. If I completely removed the "deny" rule, the key would finally work for "shadow".
I feel totally stumped. I have certain scenarios that I want to be keyed in certain ways. The /etc/shadow shown above was just an example for a more complex set of filters that I want to build. I would rather not have to type it in each time I do an ausearch. Did I do something wrong? Is there an easier solution?
Here is my failing audit.rules:
Code:
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k deny
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F path=/etc/shadow -k shadow
I restarted auditd and did a `cat /etc/shadow` and a `ausearch -ts today -k shadow`. The new record did not show up.
If you tested this as root account user then both your rules won't trigger on exit=-EACCES. Did you? Why not place a watch and use '-w /etc/shadow -p r -k shadow'? This would get syscalls logged too. What's the reason behind the need for specific syscalls?
Quote:
Originally Posted by dunamin
I have certain scenarios that I want to be keyed in certain ways.
Interesting. As you said you are locking down the machine could you please elaborate?
Thanks for writing back. I triggered /etc/shadow with a normal user account, not root. I'll try the `/etc/shadow -p r -k shadow` to see if the shadow key shows up.
I have two main goals with this setup:
1. Log anything possibly suspicious.
2. Create a filter for very unusual bad stuff.
I used the syscall flavor of rules since it will log every time someone gets a permission denied regardless of the file's path. There's a utility that when not run as root will attempt to open a config file in /etc and fail. I know the name of the utility, the name of the /etc file and the user who always does this. I want to filter out those types of events using a key.
To hopefully simplify the problem, I was picturing some piece of code that would look like this:
Code:
if (status==permission_denied){
if (file==/etc/shadow) then key=a;
else key=b;
}
I wonder if audit.rules can even express such logic. I'm starting to think that I will just have to make an uglier filter on the ausearch side of things.
Thanks again for your advice. I still seem stuck. Here's the latest update:
1. I tried the path!=/etc/shadow and get an invalid argument error.
2. I don't have too much MAC configured yet, but I may start adding more. I was trying to figure out how best to use it so any advice is welcomed. But I would like to keep things fairly simple for the other admins on the team.
3. ausearch does not allow the same fields identified by auditctl so it's not easy to filter out certain scenarios after they have happened.
At this point, I'd settle for a tool that will easily filter out unwanted records from audit logs.
have a look in /usr/share/doc/audit-<version>/ there are rules files in there that will be a really good start. stig.rules is a mostly DOD STIG compliant version of the rules
I tried the path!=/etc/shadow and get an invalid argument error.
Shame creating exclusions this way doesn't work. I don't know if you want to pursue it but if you could ask this on the SELinux users mailing list I'd love to read the developers replies or ideas...
Quote:
Originally Posted by dunamin
I don't have too much MAC configured yet, but I may start adding more. I was trying to figure out how best to use it so any advice is welcomed. But I would like to keep things fairly simple for the other admins on the team.
IMHO "simple" is not as good a reference point as "effective" would be. I'd say log what you need to know about, where need is determined by the placement of the server, its purpose, the services it runs, the type of accounts it gives access to et cetera. If you're looking at the STIG rules also have a look at CAPP rules as they complement each other in some ways.
Quote:
Originally Posted by dunamin
ausearch does not allow the same fields identified by auditctl so it's not easy to filter out certain scenarios after they have happened.
Could you give us an example of that?
Quote:
Originally Posted by dunamin
At this point, I'd settle for a tool that will easily filter out unwanted records from audit logs.
That would be a good starting point because you can only know about events you log.
Of course, it would be only for what is already logged, but it opens the search beyond trying to create the proper keys beforehand. I'm starting to think sed/awk/grep/perl scripting of /var/log/audit is my best bet. It looks like each event really has several lines, so this does not sound like an easy approach. Maybe the samples mentioned by slimm will generate some new ideas.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.