Linux-audit Digest, Vol 27, Issue 2

Steve Grubb sgrubb at redhat.com
Mon Dec 11 23:03:20 UTC 2006 

On Monday 11 December 2006 15:32, Wieprecht, Karen M. wrote:
> 1. Audit Version Differences
> -------------------------------
> -  Our SuSE colleague is using the audit 1.2.3
> -  Our RHEL4 system had audit 1.0.14
>
> If that is correct, then where might I find more on these differences?

In terms of how they do things, there is a lot of difference between them. 
>From a commandline point of view, they are nearly identical. The development 
process has a lot of co-development between kernel and user space. When I've 
found something useful that people using 1.0.X series might like to have, I 
backport it. I do the same for any bugs I know of.

> 2. Configuration recommendations:
> ---------------------------------
>   /etc/audit.rules
>
> 	-a exit,always -S all -F exit=-13		(supposed to
> catch all failed file accesses)

This catches all syscalls that fail with exit code -13.

>  /etc/sysconfig/auditd
>
> 	AUDITD_DISABLE_CONTEXTS="no"			(supposed to
> allow system to do syscall logging so that the above audit.rules setting
> will work)

This doesn't exist. I don't have any idea where you would have got this from.

> I do know that -13 events get generated when a regular user tries to
> mess around with files they do not have privs to access, but I couldn't
> get my audit daemon to capture any of the -13 events with these
> settings.

It should have. You would also want to strace the program to verify the return 
code. But that would be a bug if it didn't work.


> 3. Audit data differences on directory watches .vs. file watches :
> ------------------------------------------------------------------
>
> Since I couldn't get the syscall settings to work, I tested the
> following configurations independently:
>
> 	/etc/audit.rules
> 	a.	-w /etc/ -p w

This detects changes to the directory inodes

> 	b.	-w /etc/nsswitch.conf

This detects changes to the file's inodes

> Then I attempted to do a number of things to /etc/nsswitch.conf as a
> regular user to see if the auditing would detect it:
>
> action attempted		general /etc watch		specific
> /etc/nsswitch.conf
> ----------------		------------------
> ---------------------------
> touch				NO
> yes
> rm				yes
> yes
> mv				yes
> yes
> chown				NO
> yes
> chgrp				NO
> yes
> vi				yes
> yes
> nedit				(no because nedit saw that the file did
> not have write permission, and opened it read only with no errors)
> chmod 777			NO
> yes
> append (via >>)	  	NO					yes
> replace (via > ) 		NO
> yes
>
>
> The generic directory watch isn't going to cut it for us because it
> misses a lot of things that should get logged,

It only logs changes to that directory's inodes.

> but it's not practical to set a specific watch on every file someone might
> try to mess with where they don't have permission...

If you have all the files that you want to watch on one partition, you can use 
syscall auditing of the open syscall with devmajor and devminor to limit the 
number of hits. On RHEL4, syscall auditing impacts performance since each 
rule gets evaluated for every syscall, but watches do not.

> When I had the specific watch on /etc/nsswitch.conf, I saw that all of
> the actions I tested generated a -13 exit code, so I would think that my
> colleague's audit rule would work for us as a generic way to watch for
> ANY file permission failures rather than having to set a watch on every
> single file we want to monitor,

You'll probably be overwhelmed with stuff you didn't want also. And this could 
consume quite a bit of diskspace.

> We thought that our attempt to collect the -13 exit codes might be
> failing because of the difference in our audit version from one where we
> know this works, and that's why we were trying to test a later version
> of audit.

No, the basic mechanism at work is inode auditing. Because inodes can change 
when the file is being edited, a more general way was created, but at its 
heart is the inode. Watches hide that from you.

> -----------------------
> Questions and confusion
> -----------------------
>
> 1. Should we be able to collect -13 exit codes in RHEL4's audit 1.0.14 ?

Yes.

> If so, is there something else we might have to do to get this working
> other than the two configuration changes mentioned in Item 2 above?

If all you want is exit codes of -13, the audit rule above is all you need. 
(The line about AUDITD_DISABLE_CONTEXTS doesn't exist in any of the code I've 
written.) But you might want to figure out how to limit what you are getting 
exit code -13's on. I'd think about limiting by syscall and devmajor/minor 
for performance and diskspace reasons.

> 2. Where might I find out more about the configurable options accepted
> by /etc/sysconfig/auditd?

There are only 3 options and they are documented in the sysconfig file. The 
EXTRAOPTIONS is what's passed to the audit daemon and it only has foreground 
mode - which is used for debug. So that option would not get used much.

> a search on "AUDITD_DISABLE_CONTEXTS" didn't really get me anywhere ...

Doesn't exist...unless somebody has code they aren't sharing.

> 3. If a linux kernel is a Linux kernel,

They aren't. Sometimes, userspace and kernels go together because of kernel 
changes. Audit in 2.6.16 is different than in 2.6.19. Protocols change and 
evolve. Userspace changes too. The 1.2 series of audit is not binary 
compatible with RHEL4 apps.

> then what's the scoop on using Fedora Core (or some other flavor) src rpms
> on RHEL4 if we can't find a RHEL4-specific src rpm for something we need
> (like a newer kernel-headers)? 

I think this is untested and unsupportable. The RHEL4 stream is tested 
together and can only be guaranteed when packages from its stream are used.

> Is this a typical practice, or possible but unsupported, or completely not
> recommended?

In terms of audit, there is more hidden problems than you want to work on. 
1.0.14 should do what you need.

> 4. If there is no src rpm for something we need, but there IS a tar.gz,

You can make and build anything you want. But as a system admin, you'd only 
want to install via rpm so that you can roll changes back or figure out what 
package owns each file. You'd never want to do "make install".

> what's involved in building and installing that package, and are there
> precautions we need to take,  particularly when it involves things like
> glibc-kernheaders or kernel-headers?

Generally, there be dragons ahead. More than I can write about today.

-Steve

More information about the Linux-audit mailing list