perhaps obvious question: auditd and setuid/setgid?

Steve Grubb sgrubb at redhat.com
Fri Sep 4 16:20:38 UTC 2015 

On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
> I was specifically wondering if I was missing the appropriate syscall
> for the use of setuid or setgid.
> 
>From a brief examination and test, this appears to not be the case?

There are a couple ways to do this. One is using the find method. However, that 
does not take into account file system based capabilities. In the lab I taught 
this week, the rules generator also included this:


filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -
F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules

filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x 
-F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules

filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F 
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> 
priv.rules

filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F 
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> 
priv.rules


But, if all you want is setuid, then you can use a rule like this instead of 
file watches:

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0

-Steve


> On 09/02/2015 10:32 PM, rshaw1 at umbc.edu wrote:
> >> I'm currently testing auditd with rules for setuid or setgid binaries on
> >> the system.
> >> 
> >> I currently maintain the list via find, and pushing the results to a
> >> audit.rules file.
> >> 
> >> I'm hoping there's a cleaner way, perhaps by triggering on the
> >> appropriate syscall -- but have not discovered it.
> >> 
> >> Is there an easier method?
> > 
> > The find method is what I use (though I push it to a file in rules.d and
> > then run augenrules, which for RHEL5/6 I just stole from RHEL7).  Using
> > find to generate these rules is actually in the text of, IIRC, at least
> > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> > automated as the way I do it.
> > 
> > --Ray
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list