Help with setup
Gene Dellinger
gene at poh.com
Thu Mar 16 21:20:42 UTC 2006
Hoping this is the right place to get help configuring auditd(laus) on Red
Hat.
I have 4 high security systems that I need to allow a new employee root
access to. I would like to see everything that is done by root or any other
users/processes, however the only thing I can seem to get it to do is tell
me when my cronjobs, the sa stuff runs and login info.
#############################################
filesets.conf:
# Set of files for which we track read access.
#
set secret-files = {
"/etc",
"/bin",
};
#############################################
filter.conf:
# Various primitive predicates
predicate is-null = eq(0);
predicate is-negative = lt(0);
predicate is-system-uid = lt(100);
predicate is-lower-1024 = lt(-1024);
#
# Predicate to check open(2) mode: true iff
# (mode & O_ACCMODE) == O_RDONLY
predicate is-rdonly = mask(O_ACCMODE, O_RDONLY);
#
# Predicates for testing file type, valid when applied
# to a file type argument
predicate __isreg = mask(S_IFMT, S_IFREG);
predicate __isdir = mask(S_IFMT, S_IFDIR);
predicate __ischr = mask(S_IFMT, S_IFCHR);
predicate __isblk = mask(S_IFMT, S_IFBLK);
predicate __issock = mask(S_IFMT, S_IFSOCK);
predicate __islnk = mask(S_IFMT, S_IFLNK);
predicate s_isreg = __isreg(file-mode);
predicate s_isdir = __isdir(file-mode);
predicate s_ischr = __ischr(file-mode);
predicate s_isblk = __isblk(file-mode);
predicate s_issock = __issock(file-mode);
predicate s_islnk = __islnk(file-mode);
predicate is-tempdir = mask(01777, 01777);
predicate is-world-writable = mask(0666, 0666);
#
# Predicates dealing with process exit code
predicate if-crash-signal =
!mask(__WSIGMASK, 0)
&& (mask(__WSIGMASK, __WSIGILL) ||
mask(__WSIGMASK, __WSIGABRT) ||
mask(__WSIGMASK, __WSIGSEGV) ||
mask(__WSIGMASK, __WSIGSTKFLT));
#
# Predicates for audit-tags
predicate is-o-creat = mask(O_CREAT, O_CREAT);
predicate is-ipc-remove = eq(IPC_RMID);
predicate is-ipc-setperms = eq(IPC_SET);
predicate is-ipc-creat = mask(IPC_CREAT, IPC_CREAT);
predicate is-auditdevice = prefix("/dev/audit");
predicate is-cmd-set-auditid = eq(AUIOCSETAUDITID);
predicate is-cmd-set-loginid = eq(AUIOCLOGIN);
#
# Misc filters
filter is-root = is-null(uid);
filter is-setuid = is-null(dumpable);
filter syscall-failed = is-negative(result);
filter syscall-addr-succeed = is-lower-1024(result);
predicate is-af-packet = eq(AF_PACKET);
predicate is-af-netlink = eq(AF_NETLINK);
predicate is-sock-raw = eq(SOCK_RAW);
#
# Include filesets.
#
include "filesets.conf";
#
# "Secret" files should not be read by everyone -
# we also log read access to these files
#
predicate is-secret = prefix(@secret-files);
#
# All regular files owned by a system uid are deemed sensitive
#
predicate is-system-file = is-system-uid(file-uid)
&& !prefix("/var")
&& !is-world-writable(file-mode);
#
# Define ioctls we track
#
set sysconf-ioctls = {
SIOCADDDLCI,
SIOCADDMULTI,
SIOCADDRT,
SIOCBONDCHANGEACTIVE,
SIOCBONDENSLAVE,
SIOCBONDRELEASE,
SIOCBONDSETHWADDR,
SIOCDARP,
SIOCDELDLCI,
SIOCDELMULTI,
SIOCDELRT,
SIOCDIFADDR,
SIOCDRARP,
SIOCETHTOOL,
SIOCGIFBR,
SIOCSARP,
SIOCSIFADDR,
SIOCSIFBR,
SIOCSIFBRDADDR,
SIOCSIFDSTADDR,
SIOCSIFENCAP,
SIOCSIFFLAGS,
SIOCSIFHWADDR,
SIOCSIFHWBROADCAST,
SIOCSIFLINK,
SIOCSIFMAP,
SIOCSIFMEM,
SIOCSIFMETRIC,
SIOCSIFMTU,
SIOCSIFNAME,
SIOCSIFNETMASK,
SIOCSIFPFLAGS,
SIOCSIFSLAVE,
SIOCSIFTXQLEN,
SIOCSMIIREG
};
predicate is-sysconf-ioctl = eq(@sysconf-ioctls);
#
# System calls on file names
#
set file-ops = {
"mkdir", "rmdir", "unlink",
"chmod",
"chown", "lchown",
"chown32", "lchown32",
};
#
# General system related ops
#
set system-ops = {
swapon, swapoff,
create_module, init_module, delete_module,
sethostname, setdomainname,
};
set priv-ops = {
"setuid",
"setuid32",
"seteuid",
"seteuid32",
"setreuid",
"setreuid32",
"setresuid",
"setresuid32",
"setgid",
"setgid32",
"setegid",
"setegid32",
"setregid",
"setregid32",
"setresgid",
"setresgid32",
"setgroups",
"setgroups32",
"capset",
};
#
# Audit-Tags (only syscall related tags are handled here)
#
# define sets of syscalls related to audit-tags
# System calls for changing file modes
set mode-ops = {
"chmod",
"fchmod",
};
# System calls for changing file owner
set owner-ops = {
"chown", "lchown",
"chown32", "lchown32",
"fchown",
};
# System calls doing file link operations
set link-ops = {
"link", "symlink",
};
# System calls for creating device files
set mknod-ops = {
"mknod",
};
# System calls for opening a file
set open-ops = {
"open",
};
# File renaming
set rename-ops = {
"rename",
};
# File truncation
set truncate-ops = {
"truncate", "truncate64",
"ftruncate", "ftruncate64",
};
# Unlink files
set unlink-ops = {
"unlink",
};
# Deletion of directories
set rmdir-ops = {
"rmdir",
};
# Mounting of filesystems
set mount-ops = {
"mount",
};
# Unounting of filesystems
set umount-ops = {
"umount",
"umount2"
};
# Changing user (-role)
set userchange-ops = {
"setuid",
"setuid32",
"seteuid",
"seteuid32",
"setreuid",
"setreuid32",
"setresuid",
"setresuid32",
};
# Execute another program
set execute-ops = {
"execve",
};
# Set real user-ID
set realuid-ops = {
"setuid",
"setuid32",
};
# Set user-IDS in gerneral
set setuserids-ops = {
"setuid",
"setuid32",
"seteuid",
"seteuid32",
"setreuid",
"setreuid32",
"setresuid",
"setresuid32",
};
# Set real group-ID
set realgid-ops = {
"setgid",
"setgid32",
"setgroups",
"setgroups32",
};
# Set group-IDs in gerneral
set setgroups-ops = {
"setgid",
"setgid32",
"setegid",
"setegid32",
"setregid",
"setregid32",
"setresgid",
"setresgid32",
"setgroups",
"setgroups32",
};
# Set other kind of privileges (capabilities)
set privilege-ops = {
"capset",
};
# Change system-time
set timechange-ops = {
"adjtimex",
"stime",
"settimeofday",
};
# bring sets and tags in conjunction
tag "FILE_mode"
syscall @mode-ops = always;
tag "FILE_owner"
syscall @owner-ops = always;
tag "FILE_link"
syscall @link-ops = always;
tag "FILE_mknod"
syscall @mknod-ops = always;
tag "FILE_create"
syscall open = is-o-creat(arg1);
tag "FILE_create"
syscall creat = always;
#tag "FILE_open"
#syscall @open-ops = always;
tag "FILE_open"
syscall @open-ops = (is-system-file(arg0) && !(is-rdonly(arg1)))
|| is-secret(arg0);
tag "FILE_rename"
syscall @rename-ops = always;
tag "FILE_truncate"
syscall @truncate-ops = always;
tag "FILE_unlink"
syscall @unlink-ops = always;
tag "FS_rmdir"
syscall @rmdir-ops = always;
tag "FS_mount"
syscall @mount-ops = always;
tag "FS_umount"
syscall @umount-ops = always;
# I think owner changing doesnt make much sense
tag "MSG_owner"
syscall msgctl = is-ipc-setperms(arg1);
tag "MSG_mode"
syscall msgctl = is-ipc-setperms(arg1);
tag "MSG_delete"
syscall msgctl = is-ipc-remove(arg1);
tag "MSG_create"
syscall msgget = always;
tag "SEM_owner"
syscall semctl = is-ipc-setperms(arg2);
tag "SEM_mode"
syscall semctl = is-ipc-setperms(arg2);
tag "SEM_delete"
syscall semctl = is-ipc-remove(arg2);
tag "SEM_create"
syscall semget = always;
tag "SHM_owner"
syscall shmctl = is-ipc-setperms(arg1);
tag "SHM_mode"
syscall shmctl = is-ipc-setperms(arg1);
tag "SHM_delete"
syscall shmctl = is-ipc-remove(arg1);
tag "SHM_create"
syscall shmget = always;
tag "PRIV_userchange"
syscall @userchange-ops = always;
tag "PROC_execute"
syscall @execute-ops = always;
tag "PROC_realuid"
syscall @realuid-ops = always;
tag "PROC_auditid"
syscall ioctl = (is-auditdevice(arg0) && is-cmd-set-auditid(arg1));
tag "PROC_loginid"
syscall ioctl = (is-auditdevice(arg0) && is-cmd-set-loginid(arg1));
tag "PROC_setuserids"
syscall @setuserids-ops = always;
tag "PROC_realgid"
syscall @realgid-ops = always;
tag "PROC_setgroups"
syscall @setgroups-ops = always;
tag "PROC_privilege"
syscall @privilege-ops = always;
tag "SYS_timechange"
syscall @timechange-ops = always;
# not required by CAPP
syscall ipc = always;
syscall socket = is-af-packet(arg0) || is-sock-raw(arg1);
syscall ioctl = is-sysconf-ioctl(arg1);
#
# Special filters for process/termination
event process-exit = if-crash-signal(exitcode);
#
# Events we want to log unconditionally:
event network-config = always;
event user-message = always;
event process-login = always;
# Custom
predicate is-root = prefix(/bin);
syscall execve = is-root(arg0);
#############################################
Thanks
Gene Dellinger
More information about the Linux-audit
mailing list