LinuxQuestions.org - audit rules help

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - audit rules help (https://www.linuxquestions.org/questions/linux-security-4/audit-rules-help-849483/)

audit rules help

Is there someplace good for looking up how to implement different audit specific rules?
I've been scouring the web and having some issues figuring out how to add some new audit rules.

basically i want to add rules for mounting, which i believe is just adding a watch to /bin/mount

but i also want to look for when users mount a share on a server, from the server side. I believe this would also mean i need to watch nfs/cifs daemons for new exports, or really just recycling those daemons.

Hints? Tips? Trick? or better yet doc?

Thanks!

Sure you could include all the various mount binaries but also any mount-related syscalls. A rule for the latter could look like: 'auditctl -a entry,always -S mount -S umount -S umount2 -k SYS_mount'.

It sounds like including the mount syscalls is the direction I want to take on the client. Would that only audit if the client was mounting a share? On the server would auditing the mount syscalls catch when a client mounted something on the server?

Auditing someone on the server mounting anything is an auditable action, but I also need to track when clients are mounting a share, and I'm not clear from the response if that is the case.

There is also the case where I need to audit any new exports/cifs shares being created.

Quote:

Originally Posted by idlehands (Post 4189744)

Isn't that something you could test yourself?

Quote:

Originally Posted by idlehands (Post 4189744)

Auditing someone on the server mounting anything is an auditable action, but I also need to track when clients are mounting a share, and I'm not clear from the response if that is the case. There is also the case where I need to audit any new exports/cifs shares being created.

Auditd should be able to capture read and write syscalls as per my example on both client and server but extensive logging is neither configured off the shelf nor is it accessible or centrally managed from inside one single application so having logs from other sources (ranging from local auth to AD) is key. Samba itself for example has per-share CIFS VFS audit capabilities

Code:

[sharename]

vfs objects = full_audit

full_audit:prefix = %u|%I|%S|%m

full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod

fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath

full_audit:failure = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod

fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath

full_audit:facility = local1

full_audit:priority = info

that may complement available auditing. For more see 'man 8 vfs_full_audit'.

Thanks for the hints, I think I have enough to muddle through now. One would think I could test all of this but I don't get much in the way of test systems unfortunately.

You mean you don't have a workstation you can use virtualization on?

Granted I could do that to my work pc, but its not quite beefy enough to where the performance hit the host would take wouldn't make irritate me. I will probably end up doing that anyways though.

1. Well, 'auditctl -a entry,always -S mount -S umount -S umount2 -k SYS_mount' does not seem to audit log any mount request that is send by the NFS Client to the NFS server.
2.CIFS seem to have the facility as indicated ,but there seems none for NFS :-( .. any clue ?
3. NFS Server seems to log following relevant messages in /var/log/messages - but how do I filter it such that it is directed to a particular log file/server (Does the below message come under authpriv.* for rsyslog rule)
2010-12-05T02:59:13.321745+05:18 int002st001 mountd[1390190]: authenticated mount request from son.in.xx.com:794 for /mount_test (/test)

Advice appreciated.