auditd is ignoring the -a rules

fakie_flip · 06-01-2020, 04:43 AM

The -a syscall rules aren't being shown by auditctl -l

Code:

[plasma ~]# cat /etc/audit/rules.d/audit.rule 
# -w path-to-file -p permissions -k keyname
# where the permission are any one of the following:
#
# r – read of the file
# w – write to the file
# x – execute the file
# a – change in the file’s attribute (ownership/permissions)
-D # first rule - delete all
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p rwxa -k rules
-w /etc/security -p rwxa -k security
-a always,exit -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -S clock_settime -k time-change
-a always,exit -S sethostname -S setdomainname -k system-locale
# disable adding any additional rules - note that adding new rules will require a reboot
-e 2
[plasma ~]# auditctl -R /etc/audit/rules.d/audit.rule
[plasma ~]# auditctl -l
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p rwxa -k rules
-w /etc/security -p rwxa -k security
[plasma ~]#

shruggy · 06-01-2020, 05:16 AM

Hm. From the auditctl manpage:

Quote:

-S [Syscall name or number|all]

... If you are on a bi-arch system, like x86_64, you should be aware that auditctl simply takes the text, looks it up for the native arch (in this case b64) and sends that rule to the kernel. If there are no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have undesirable effects since there is no guarantee that any syscall has the same number on both 32 and 64 bit interfaces. You will likely want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. See the arch field discussion for more info.

So how about

Code:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change

fakie_flip · 06-01-2020, 06:29 AM

Quote:

Originally Posted by shruggy

Hm. From the auditctl manpage:

So how about

Code:

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change

Ok, I updated to include -F arch=b64, and auditctl -l still does not show the syscall rules.

Code:

[plasma ~]# cat /etc/audit/rules.d/audit.rule 
# -w path-to-file -p permissions -k keyname
# where the permission are any one of the following:
#
# r – read of the file
# w – write to the file
# x – execute the file
# a – change in the file’s attribute (ownership/permissions)
-D # first rule - delete all
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p wa -k rules
-w /etc/security -p wa -k security
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
# disable adding any additional rules - note that adding new rules will require a reboot
-e 2

Apply the rules

Code:

[plasma ~]# auditctl -R /etc/audit/rules.d/audit.rule

Make a change that should trigger the rule with key system-locale

Code:

[plasma ~]# hostnamectl --static set-hostname audit-test.home.private

Search for the logs with the key system-locale after 1 should have been generated

Code:

[plasma ~]# ausearch -k system-locale
<no matches>

Now I check the rules that are being used after I read in the rules earlier. None of the syscalls rules that begin with -a show here. What's going on?

Code:

[plasma ~]# auditctl -l
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p rwxa -k rules
-w /etc/security -p rwxa -k security
[plasma ~]#

And I have nearly 10k lines in the log file for auditing that I made no rules for. I don't get it.

Code:

$ wc -l /var/log/audit/audit.log
9541 /var/log/audit/audit.log

shruggy · 06-01-2020, 07:47 AM

Just to be sure. You have the -e 2 rule in there. Did you reboot after changing the rules ?
Now I wonder if syscall auditing support is enabled in kernel
Code:
```
grep ^CONFIG_AUDIT /boot/config-`uname -r`
```
This shouldn't be any different, but I've also noticed that examples in /usr/share/doc/audit/rules/ set filter key with -F key= instead of -k.

Maybe try putting your rules into a separate file, say /etc/audit/rules.d/50-my.rules and generating audit.rules with augenrules:

Code:

cp /usr/share/doc/audit/rules/{10-base-config,99-finalize}.rules /etc/audit/rules.d
sed -i 's/^#-/-/' /etc/audit/rules.d/99-finalize.rules
cat >/etc/audit/rules.d/50-my.rules <<EOF
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p wa -k rules
-w /etc/security -p wa -k security
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime,clock_settime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday,stime,clock_settime -F key=time-change
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
EOF
chmod 600 /etc/audit/rules.d/*
augenrules --load

A long shot, I know, but still. This is from audit.rules(7):

Quote:

If you are not getting events on syscall rules that you think you should, try running a test program under strace so that you can see the syscalls. There is a chance that you might have identified the wrong syscall.

fakie_flip · 06-06-2020, 04:54 AM

Quote:

Originally Posted by shruggy

1. Just to be sure. You have the -e 2 rule in there. Did you reboot after changing the rules ?

Yes, I did. After a reboot, no rules have been applied. This file is empty.

Code:

# cat /etc/audit/audit.rules *
## This file is automatically generated from /etc/audit/rules.d

I had to comment out “-e 2” and run this for the rules to be recognized, but it’s still ignoring the system-call rules.

Code:

auditctl -R /etc/audit/rules.d/audit.rule

Quote:

2. Now I wonder if syscall auditing support is enabled in kernel

Code:

grep ^CONFIG_AUDIT /boot/config-`uname -r`

That file does not exist, so I ran this instead.

Code:

# zgrep ^CONFIG_AUDIT /proc/config.gz
CONFIG_AUDIT=y 
CONFIG_AUDITSYSCALL=y 
CONFIG_AUDIT_ARCH=y

Quote:

3. This shouldn't be any different, but I've also noticed that examples in /usr/share/doc/audit/rules/ set filter key with -F key= instead of -k.

I don’t have that directory or any docs at all :/

Quote:

4. Maybe try putting your rules into a separate file, say /etc/audit/rules.d/50-my.rules and generating audit.rules with augenrules:

Code:

cp /usr/share/doc/audit/rules/{10-base-config,99-finalize}.rules /etc/audit/rules.d
sed -i 's/^#-/-/' /etc/audit/rules.d/99-finalize.rules
cat >/etc/audit/rules.d/50-my.rules <<EOF
-w /etc/shadow -p wa -k shadow
-w /etc/passwd -p wa -k passwd
-w /etc/group -p wa -k group
-w /etc/sudoers -p wa -k sudoers
-w /etc/audit/rules.d/audit.rule -p wa -k rules
-w /etc/security -p wa -k security
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime,clock_settime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday,stime,clock_settime -F key=time-change
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
EOF
chmod 600 /etc/audit/rules.d/*
augenrules --load

Those files and the doc directory do not exist on my system.

Code:

[plasma ~]# ls /usr/share/doc/audit/rules/
ls: cannot access '/usr/share/doc/audit/rules/': No such file or directory
[plasma ~]# pacman -Ql audit
audit /etc/
audit /etc/audisp/
audit /etc/audisp/audisp-remote.conf
audit /etc/audisp/audispd.conf
audit /etc/audisp/plugins.d/
audit /etc/audisp/plugins.d/af_unix.conf
audit /etc/audisp/plugins.d/au-remote.conf
audit /etc/audisp/plugins.d/audispd-zos-remote.conf
audit /etc/audisp/plugins.d/syslog.conf
audit /etc/audisp/zos-remote.conf
audit /etc/audit/
audit /etc/audit/audit-stop.rules
audit /etc/audit/auditd.conf
audit /etc/libaudit.conf
audit /usr/
audit /usr/bin/
audit /usr/bin/audisp-remote
audit /usr/bin/audispd
audit /usr/bin/audispd-zos-remote
audit /usr/bin/auditctl
audit /usr/bin/auditd
audit /usr/bin/augenrules
audit /usr/bin/aulast
audit /usr/bin/aulastlog
audit /usr/bin/aureport
audit /usr/bin/ausearch
audit /usr/bin/ausyscall
audit /usr/bin/autrace
audit /usr/bin/auvirt
audit /usr/include/
audit /usr/include/auparse-defs.h
audit /usr/include/auparse.h
audit /usr/include/libaudit.h
audit /usr/lib/
audit /usr/lib/libaudit.so
audit /usr/lib/libaudit.so.1
audit /usr/lib/libaudit.so.1.0.0
audit /usr/lib/libauparse.so
audit /usr/lib/libauparse.so.0
audit /usr/lib/libauparse.so.0.0.0
audit /usr/lib/pkgconfig/
audit /usr/lib/pkgconfig/audit.pc
audit /usr/lib/pkgconfig/auparse.pc
audit /usr/lib/systemd/
audit /usr/lib/systemd/system/
audit /usr/lib/systemd/system/auditd.service
audit /usr/share/
audit /usr/share/aclocal/
audit /usr/share/aclocal/audit.m4
audit /usr/share/man/
audit /usr/share/man/man3/
audit /usr/share/man/man3/audit_add_rule_data.3.gz
audit /usr/share/man/man3/audit_add_watch.3.gz
audit /usr/share/man/man3/audit_delete_rule_data.3.gz
audit /usr/share/man/man3/audit_detect_machine.3.gz
audit /usr/share/man/man3/audit_encode_nv_string.3.gz
audit /usr/share/man/man3/audit_get_reply.3.gz
audit /usr/share/man/man3/audit_get_session.3.gz
audit /usr/share/man/man3/audit_getloginuid.3.gz
audit /usr/share/man/man3/audit_log_acct_message.3.gz
audit /usr/share/man/man3/audit_log_semanage_message.3.gz
audit /usr/share/man/man3/audit_log_user_avc_message.3.gz
audit /usr/share/man/man3/audit_log_user_comm_message.3.gz
audit /usr/share/man/man3/audit_log_user_command.3.gz
audit /usr/share/man/man3/audit_log_user_message.3.gz
audit /usr/share/man/man3/audit_open.3.gz
audit /usr/share/man/man3/audit_request_rules_list_data.3.gz
audit /usr/share/man/man3/audit_request_signal_info.3.gz
audit /usr/share/man/man3/audit_request_status.3.gz
audit /usr/share/man/man3/audit_set_backlog_limit.3.gz
audit /usr/share/man/man3/audit_set_backlog_wait_time.3.gz
audit /usr/share/man/man3/audit_set_enabled.3.gz
audit /usr/share/man/man3/audit_set_failure.3.gz
audit /usr/share/man/man3/audit_set_pid.3.gz
audit /usr/share/man/man3/audit_set_rate_limit.3.gz
audit /usr/share/man/man3/audit_setloginuid.3.gz
audit /usr/share/man/man3/audit_update_watch_perms.3.gz
audit /usr/share/man/man3/auparse_add_callback.3.gz
audit /usr/share/man/man3/auparse_destroy.3.gz
audit /usr/share/man/man3/auparse_feed.3.gz
audit /usr/share/man/man3/auparse_feed_age_events.3.gz
audit /usr/share/man/man3/auparse_feed_has_data.3.gz
audit /usr/share/man/man3/auparse_find_field.3.gz
audit /usr/share/man/man3/auparse_find_field_next.3.gz
audit /usr/share/man/man3/auparse_first_field.3.gz
audit /usr/share/man/man3/auparse_first_record.3.gz
audit /usr/share/man/man3/auparse_flush_feed.3.gz
audit /usr/share/man/man3/auparse_get_field_int.3.gz
audit /usr/share/man/man3/auparse_get_field_name.3.gz
audit /usr/share/man/man3/auparse_get_field_num.3.gz
audit /usr/share/man/man3/auparse_get_field_str.3.gz
audit /usr/share/man/man3/auparse_get_field_type.3.gz
audit /usr/share/man/man3/auparse_get_filename.3.gz
audit /usr/share/man/man3/auparse_get_line_number.3.gz
audit /usr/share/man/man3/auparse_get_milli.3.gz
audit /usr/share/man/man3/auparse_get_node.3.gz
audit /usr/share/man/man3/auparse_get_num_fields.3.gz
audit /usr/share/man/man3/auparse_get_num_records.3.gz
audit /usr/share/man/man3/auparse_get_record_num.3.gz
audit /usr/share/man/man3/auparse_get_record_text.3.gz
audit /usr/share/man/man3/auparse_get_serial.3.gz
audit /usr/share/man/man3/auparse_get_time.3.gz
audit /usr/share/man/man3/auparse_get_timestamp.3.gz
audit /usr/share/man/man3/auparse_get_type.3.gz
audit /usr/share/man/man3/auparse_get_type_name.3.gz
audit /usr/share/man/man3/auparse_goto_field_num.3.gz
audit /usr/share/man/man3/auparse_goto_record_num.3.gz
audit /usr/share/man/man3/auparse_init.3.gz
audit /usr/share/man/man3/auparse_interpret_field.3.gz
audit /usr/share/man/man3/auparse_next_event.3.gz
audit /usr/share/man/man3/auparse_next_field.3.gz
audit /usr/share/man/man3/auparse_next_record.3.gz
audit /usr/share/man/man3/auparse_node_compare.3.gz
audit /usr/share/man/man3/auparse_normalize.3.gz
audit /usr/share/man/man3/auparse_normalize_functions.3.gz
audit /usr/share/man/man3/auparse_reset.3.gz
audit /usr/share/man/man3/auparse_set_escape_mode.3.gz
audit /usr/share/man/man3/auparse_timestamp_compare.3.gz
audit /usr/share/man/man3/ausearch_add_expression.3.gz
audit /usr/share/man/man3/ausearch_add_interpreted_item.3.gz
audit /usr/share/man/man3/ausearch_add_item.3.gz
audit /usr/share/man/man3/ausearch_add_regex.3.gz
audit /usr/share/man/man3/ausearch_add_timestamp_item.3.gz
audit /usr/share/man/man3/ausearch_add_timestamp_item_ex.3.gz
audit /usr/share/man/man3/ausearch_clear.3.gz
audit /usr/share/man/man3/ausearch_next_event.3.gz
audit /usr/share/man/man3/ausearch_set_stop.3.gz
audit /usr/share/man/man3/get_auditfail_action.3.gz
audit /usr/share/man/man3/set_aumessage_mode.3.gz
audit /usr/share/man/man5/
audit /usr/share/man/man5/audisp-remote.conf.5.gz
audit /usr/share/man/man5/audispd.conf.5.gz
audit /usr/share/man/man5/auditd.conf.5.gz
audit /usr/share/man/man5/ausearch-expression.5.gz
audit /usr/share/man/man5/libaudit.conf.5.gz
audit /usr/share/man/man5/zos-remote.conf.5.gz
audit /usr/share/man/man7/
audit /usr/share/man/man7/audit.rules.7.gz
audit /usr/share/man/man8/
audit /usr/share/man/man8/audisp-remote.8.gz
audit /usr/share/man/man8/audispd-zos-remote.8.gz
audit /usr/share/man/man8/audispd.8.gz
audit /usr/share/man/man8/auditctl.8.gz
audit /usr/share/man/man8/auditd.8.gz
audit /usr/share/man/man8/augenrules.8.gz
audit /usr/share/man/man8/aulast.8.gz
audit /usr/share/man/man8/aulastlog.8.gz
audit /usr/share/man/man8/aureport.8.gz
audit /usr/share/man/man8/ausearch.8.gz
audit /usr/share/man/man8/ausyscall.8.gz
audit /usr/share/man/man8/autrace.8.gz
audit /usr/share/man/man8/auvirt.8.gz
audit /var/
audit /var/log/
audit /var/log/audit/
[plasma ~]#

“augenrules –load” was what I needed. Now the system call rules are recognized. Thanks.