Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,495
Rep:
auditd is ignoring the -a rules
The -a syscall rules aren't being shown by auditctl -l
Code:
[plasma ~]# cat /etc/audit/rules.d/audit.rule
# -w path-to-file -p permissions -k keyname
# where the permission are any one of the following:
#
# r – read of the file
# w – write to the file
# x – execute the file
# a – change in the file’s attribute (ownership/permissions)
-D # first rule - delete all
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p rwxa -k rules
-w /etc/security -p rwxa -k security
-a always,exit -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -S clock_settime -k time-change
-a always,exit -S sethostname -S setdomainname -k system-locale
# disable adding any additional rules - note that adding new rules will require a reboot
-e 2
[plasma ~]# auditctl -R /etc/audit/rules.d/audit.rule
[plasma ~]# auditctl -l
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p rwxa -k rules
-w /etc/security -p rwxa -k security
[plasma ~]#
... If you are on a bi-arch system, like x86_64, you should be aware that auditctl simply takes the text, looks it up for the native arch (in this case b64) and sends that rule to the kernel. If there are no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have undesirable effects since there is no guarantee that any syscall has the same number on both 32 and 64 bit interfaces. You will likely want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. See the arch field discussion for more info.
Ok, I updated to include -F arch=b64, and auditctl -l still does not show the syscall rules.
Code:
[plasma ~]# cat /etc/audit/rules.d/audit.rule
# -w path-to-file -p permissions -k keyname
# where the permission are any one of the following:
#
# r – read of the file
# w – write to the file
# x – execute the file
# a – change in the file’s attribute (ownership/permissions)
-D # first rule - delete all
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p wa -k rules
-w /etc/security -p wa -k security
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
# disable adding any additional rules - note that adding new rules will require a reboot
-e 2
Just to be sure. You have the -e 2 rule in there. Did you reboot after changing the rules ?
Now I wonder if syscall auditing support is enabled in kernel
Code:
grep ^CONFIG_AUDIT /boot/config-`uname -r`
This shouldn't be any different, but I've also noticed that examples in /usr/share/doc/audit/rules/ set filter key with -F key= instead of -k.
Maybe try putting your rules into a separate file, say /etc/audit/rules.d/50-my.rules and generating audit.rules with augenrules:
Code:
cp /usr/share/doc/audit/rules/{10-base-config,99-finalize}.rules /etc/audit/rules.d
sed -i 's/^#-/-/' /etc/audit/rules.d/99-finalize.rules
cat >/etc/audit/rules.d/50-my.rules <<EOF
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p wa -k rules
-w /etc/security -p wa -k security
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime,clock_settime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday,stime,clock_settime -F key=time-change
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
EOF
chmod 600 /etc/audit/rules.d/*
augenrules --load
A long shot, I know, but still. This is from audit.rules(7):
Quote:
If you are not getting events on syscall rules that you think you should, try running a test program under strace so that you can see the syscalls. There is a chance that you might have identified the wrong syscall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.