perhaps obvious question: auditd and setuid/setgid?
Steve Grubb
sgrubb at redhat.com
Fri Sep 4 16:20:38 UTC 2015
On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
> I was specifically wondering if I was missing the appropriate syscall
> for the use of setuid or setgid.
>
>From a brief examination and test, this appears to not be the case?
There are a couple ways to do this. One is using the find method. However, that
does not take into account file system based capabilities. In the lab I taught
this week, the rules generator also included this:
filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -
F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules
filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x
-F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules
filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
But, if all you want is setuid, then you can use a rule like this instead of
file watches:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0
-Steve
> On 09/02/2015 10:32 PM, rshaw1 at umbc.edu wrote:
> >> I'm currently testing auditd with rules for setuid or setgid binaries on
> >> the system.
> >>
> >> I currently maintain the list via find, and pushing the results to a
> >> audit.rules file.
> >>
> >> I'm hoping there's a cleaner way, perhaps by triggering on the
> >> appropriate syscall -- but have not discovered it.
> >>
> >> Is there an easier method?
> >
> > The find method is what I use (though I push it to a file in rules.d and
> > then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using
> > find to generate these rules is actually in the text of, IIRC, at least
> > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> > automated as the way I do it.
> >
> > --Ray
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list