filtering system calls with auid -1

Steve Grubb sgrubb at redhat.com
Tue Nov 17 19:55:24 UTC 2015 

On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> My aim is to audit only commands executed by root (interactively) and avc
> denied messages (selinux)

I have some questions to help clarify. Command executed by root, or the root 
user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1. (the 
audit system treats all uid as unsigned numbers therefore auid = -1 is a large 
unsigned number.)

Also when you say commands, what do you mean? What root types on the console? 
What if that is a shell script that in turn executes many other programs and 
scripts?


> Some details about my audit-test-system and current audit configuration.

<snip> 

> ### auditctl -l:
> -a never,exit -S all -F auid!=-1

This says you want to mark all user processes permanently unauditable.

> -a never,exit -S all -F auid!=0 -F auid<500

I don't think this adds anything because the previous one includes this.

> -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands

Now you want execve run by anything that's not a user, meaning cron jobs and 
system services.

> -a always,exclude -F msgtype=CWD

And this says you don't care about reconstructing relative paths. 


> ### auditctl -s:
> AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> lost=0 backlog=0
> 
> ### /etc/init.d/auditd status:
> auditd (pid  4232) is running...
> 
> ### grep -Hrn loginuid /etc/pam.d/:
> /etc/pam.d/login:9:session    required     pam_loginuid.so
> /etc/pam.d/sshd:9:session    required     pam_loginuid.so
> /etc/pam.d/remote:9:session    required     pam_loginuid.so
> /etc/pam.d/ssh-keycat:4:session    required     pam_loginuid.so
> 
> -----
> 
> MY QUESTION:
> With the above listed configuration I still get audit.log entries with
> auid=-1 including cron and anacron entries.

Based on your rules, you are getting exactly what you programmed it to do.

 
> EXAMPLE AUDIT.LOG SNIPPET:
> type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> auid=4294967295 ses=4294967295

<snip>
 
> What am I missing or doing wrong? I also tried working with pam_tty_audit
> and aureport --tty but that is too detailed as every keypress gets logged.

Sudo will log every command run through it. Maybe that is closer? The execve 
approach will log everything, but it will also log all subscripts that are run 
as a result of what's entered on the command line. That would be:

-a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0

No other rules.

-Steve

More information about the Linux-audit mailing list