filtering system calls with auid -1
Steve Grubb
sgrubb at redhat.com
Tue Nov 17 19:55:24 UTC 2015
On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> My aim is to audit only commands executed by root (interactively) and avc
> denied messages (selinux)
I have some questions to help clarify. Command executed by root, or the root
user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1. (the
audit system treats all uid as unsigned numbers therefore auid = -1 is a large
unsigned number.)
Also when you say commands, what do you mean? What root types on the console?
What if that is a shell script that in turn executes many other programs and
scripts?
> Some details about my audit-test-system and current audit configuration.
<snip>
> ### auditctl -l:
> -a never,exit -S all -F auid!=-1
This says you want to mark all user processes permanently unauditable.
> -a never,exit -S all -F auid!=0 -F auid<500
I don't think this adds anything because the previous one includes this.
> -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
Now you want execve run by anything that's not a user, meaning cron jobs and
system services.
> -a always,exclude -F msgtype=CWD
And this says you don't care about reconstructing relative paths.
> ### auditctl -s:
> AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> lost=0 backlog=0
>
> ### /etc/init.d/auditd status:
> auditd (pid 4232) is running...
>
> ### grep -Hrn loginuid /etc/pam.d/:
> /etc/pam.d/login:9:session required pam_loginuid.so
> /etc/pam.d/sshd:9:session required pam_loginuid.so
> /etc/pam.d/remote:9:session required pam_loginuid.so
> /etc/pam.d/ssh-keycat:4:session required pam_loginuid.so
>
> -----
>
> MY QUESTION:
> With the above listed configuration I still get audit.log entries with
> auid=-1 including cron and anacron entries.
Based on your rules, you are getting exactly what you programmed it to do.
> EXAMPLE AUDIT.LOG SNIPPET:
> type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> auid=4294967295 ses=4294967295
<snip>
> What am I missing or doing wrong? I also tried working with pam_tty_audit
> and aureport --tty but that is too detailed as every keypress gets logged.
Sudo will log every command run through it. Maybe that is closer? The execve
approach will log everything, but it will also log all subscripts that are run
as a result of what's entered on the command line. That would be:
-a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0
No other rules.
-Steve
More information about the Linux-audit
mailing list