LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-10-2010, 08:37 AM   #1
idlehands
Member
 
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Rep: Reputation: 16
audit rules help


Is there someplace good for looking up how to implement different audit specific rules?
I've been scouring the web and having some issues figuring out how to add some new audit rules.

basically i want to add rules for mounting, which i believe is just adding a watch to /bin/mount

but i also want to look for when users mount a share on a server, from the server side. I believe this would also mean i need to watch nfs/cifs daemons for new exports, or really just recycling those daemons.

Hints? Tips? Trick? or better yet doc?

Thanks!
 
Old 12-11-2010, 07:18 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Sure you could include all the various mount binaries but also any mount-related syscalls. A rule for the latter could look like: 'auditctl -a entry,always -S mount -S umount -S umount2 -k SYS_mount'.
 
Old 12-13-2010, 07:51 AM   #3
idlehands
Member
 
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Original Poster
Rep: Reputation: 16
It sounds like including the mount syscalls is the direction I want to take on the client. Would that only audit if the client was mounting a share? On the server would auditing the mount syscalls catch when a client mounted something on the server?

Auditing someone on the server mounting anything is an auditable action, but I also need to track when clients are mounting a share, and I'm not clear from the response if that is the case.

There is also the case where I need to audit any new exports/cifs shares being created.
 
Old 12-14-2010, 08:17 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by idlehands View Post
It sounds like including the mount syscalls is the direction I want to take on the client. Would that only audit if the client was mounting a share? On the server would auditing the mount syscalls catch when a client mounted something on the server?
Isn't that something you could test yourself?


Quote:
Originally Posted by idlehands View Post
Auditing someone on the server mounting anything is an auditable action, but I also need to track when clients are mounting a share, and I'm not clear from the response if that is the case. There is also the case where I need to audit any new exports/cifs shares being created.
Auditd should be able to capture read and write syscalls as per my example on both client and server but extensive logging is neither configured off the shelf nor is it accessible or centrally managed from inside one single application so having logs from other sources (ranging from local auth to AD) is key. Samba itself for example has per-share CIFS VFS audit capabilities
Code:
[sharename]
vfs objects = full_audit
full_audit:prefix = %u|%I|%S|%m
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:failure = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local1
full_audit:priority = info
that may complement available auditing. For more see 'man 8 vfs_full_audit'.
 
Old 12-15-2010, 08:42 AM   #5
idlehands
Member
 
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Original Poster
Rep: Reputation: 16
Thanks for the hints, I think I have enough to muddle through now. One would think I could test all of this but I don't get much in the way of test systems unfortunately.
 
Old 12-15-2010, 08:53 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
You mean you don't have a workstation you can use virtualization on?
 
Old 12-16-2010, 06:40 AM   #7
idlehands
Member
 
Registered: Mar 2010
Distribution: zLinux, RHEL, Ubuntu, SUSE
Posts: 50

Original Poster
Rep: Reputation: 16
Granted I could do that to my work pc, but its not quite beefy enough to where the performance hit the host would take wouldn't make irritate me. I will probably end up doing that anyways though.
 
Old 12-18-2010, 10:02 PM   #8
san_patil
LQ Newbie
 
Registered: Dec 2010
Posts: 4

Rep: Reputation: 0
1. Well, 'auditctl -a entry,always -S mount -S umount -S umount2 -k SYS_mount' does not seem to audit log any mount request that is send by the NFS Client to the NFS server.
2.CIFS seem to have the facility as indicated ,but there seems none for NFS :-( .. any clue ?
3. NFS Server seems to log following relevant messages in /var/log/messages - but how do I filter it such that it is directed to a particular log file/server (Does the below message come under authpriv.* for rsyslog rule)
2010-12-05T02:59:13.321745+05:18 int002st001 mountd[1390190]: authenticated mount request from son.in.xx.com:794 for /mount_test (/test)

Advice appreciated.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I read the audit time stamp? msg=audit(1213186256.105:20663) abefroman Linux - Software 3 04-21-2011 06:37 PM
RHEL 4 /etc/audit.rules matonb Red Hat 9 06-25-2010 12:07 PM
error in line 5 of /etc/audit/audit.rules RHEL5u3 abti Red Hat 1 04-06-2010 05:42 PM
audit.rules statement entered from mccartjd Linux - Security 1 02-18-2010 05:32 PM
/etc/audit.rules - Error sending watch insert request Linux_Learner[LL] Linux - Security 2 07-16-2006 07:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration