Auditing a program use but not what it is doing
Steve Grubb
sgrubb at redhat.com
Thu Feb 13 16:55:22 UTC 2020
On Thursday, February 13, 2020 11:35:46 AM EST MAUPERTUIS, PHILIPPE wrote:
> > Objet : Re: Auditing a program use but not what it is doing
> >
> > On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE
> >
> > wrote:
> > > Like many, we are using aide and clamav.
> > > I woud like to have an audit record when these program are run but no
> > > records for what they are doing. I mean, I want to know that clamscan
> > > or
> > > aide has been launched but not that it checks say /etc/passwd whatever
> > > rules could be in place for /etc/passwd
> >
> > Then all you need to do is place a watch on them.
> >
> > -a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
>
> Just to be sure to understand how it works :
> If we have two rules in that order :
> -a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x -F key=aide_run
The exe option is to audit syscalls by a specific application. For example,
you might want to use it to see what IP address and application connects to.
-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash
To place a _watch_ on a file, you use the path option with permission of
executable. The rule above should be:
-a always,exit -F path=/usr/sbin/aide -F perm=x -F key=aide_run
There should be other examples like this in the shipped rules.
> -a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts
This will create an event whenever an application writes to or changes
permissions of passwd. Try running adduser or chmod it.
> When running aide :
> - the first rule produces a message
> - the second rule is ignored
It would only trigger on a write/permission change.
-Steve
More information about the Linux-audit
mailing list