Rule Compatibility Issues With Old Version of Audit
Steve Grubb
sgrubb at redhat.com
Fri May 11 14:48:10 UTC 2012
On Wednesday, May 02, 2012 11:47:44 AM Patrick Synor wrote:
> I am struggling here quite a bit trying to implement a ruleset to help
> us log PCI related events. I was able to get a good ruleset that I am
> using successfully on RHEL5 which consists of the following rules:
Before looking at the rules, we can only have forward compatibility. The audit
rules are implemented in the kernel rather than user space. So, once a kernel is
released with new features its sometimes hard to backport those changes to older
kernels.
> -a exclude,always -F msgtype=CWD
>
> -a exit,never -F arch=b32 -F path=/var/log/audit/audit.log
>
> -a exit,never -F arch=b32 -F path=/var/log/messages
>
> -a always,exit -F euid=0 -F perm=wxa -k ROOT_ACTION
>
> -a exit,always -S all -F dir=/var/log -k LOG_ACCESS
>
> -a exit,always -F arch=b32 -F dir=/var/log -S truncate -S unlink -S
> rename -S unlinkat -k LOGS_INIT
>
> -a exit,always -F arch=b64 -F dir=/var/log -S truncate -S unlink -S
> rename -S unlinkat -k LOGS_INIT
>
> -w /etc -p wa -k CONF_ACCESS
>
> However, when I started deploying this I ran into some RHEL4 servers,
> and it appears the version of audit on the RHEL4 servers is 1.0.16.
> This version doesn't seem to like the rules above. For example, the
> first rule results in the following:
>
> Append rule - bad keyword exclude,always
The exclude filter was required for LSPP but not for CAPP. RHEL4 was only
certified to CAPP.
> Changing this rule to -a entry,never -F msgtype=CWD results in:
>
> -F unknown field: msgtype=CWD
This was intended to be used with the exclude filter, so its also not present.
> And -a always,exit -S all -F euid=0 -k ROOT_ACTION results in:
>
> filterkey option needs a watch given prior to it
The kernel API was changed in 2.6.16 to allow strings to be passed as keys for
syscalls. So, the older kernels cannot do this.
> So clearly a lot has changed from this version to the version on the
> RHEL5 box (1.7.18). Anyhow, since upgrading the RHEL4 boxes for this
> isn't an option, I am trying to figure out what I can do to possibly
> modify these rules to work with the older version, or replace the older
> version with a newer version for the sake of this project. From what I
> understand, the kernel on the RHEL4 box (2.6.9-103.EL) may not allow
> this since I understand that the versions of audit are generally kernel
> dependant.
Yes.
> Additionally, just looking at some of the dependencies on
> the audit-libs package on the RHEL4 box I am seeing that a lot of
> critical things depend on it (e.g. PAM, passwd, shadow-utils,
> openssh-server, etc.) so removing it and replacing it will likely be
> quite a mess.
Correct. You really can't upgrade user space and get this to work. It will only
change the error from something meaningful to Invalid Option.
> If anyone has any input or suggestions I would greatly appreciate it.
> Ideally, we shouldn't have any RHEL4 boxes today, but the case is that
> we do, and they cannot be upgraded for the sake of this project, so
> creative solutions are welcomed, and encouraged.
You'll need to alter the rules for the RHEL4 system. RHEL4 was the beginning of
the current audit system and just lacks some things that are common in more
recent kernel/user space.
-Steve
More information about the Linux-audit
mailing list