NISPOM Auditing

Steve Grubb sgrubb at redhat.com
Thu May 22 21:19:52 UTC 2008 

On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:

Have you looked at the latest nispom.rules file in the audit package? I have a 
set of rules that should meet NISPOM requirements. If it doesn't I'd like to 
know what is wrong with it so we can fix it. This set of rules looks similar 
to it, but there are differences. The main difference is adding -F arch=  to 
each syscall rule to make sure the numbers are correct.


> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation

-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation



> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open

-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open



> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

:)

> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2

This rule only watches one file. There could be more. You might want a rule 
like:

-w /var/log/audit -k audit-logs

-Steve

More information about the Linux-audit mailing list