reactive audit proposal

Lenny Bruzenak lenny at magitekltd.com
Fri May 15 15:00:17 UTC 2020 

On 5/12/20 6:22 PM, Steve Grubb wrote:

> It may also be possible to poll /sys/block to watch for changes. This might
> be easier as the names are more friendly. This would take some research to
> see if its even possible.
>
> The rule syntax could look something like:
> on=mount mount=/run/user/1000 : -a exit,always ...
> on=device device=/dev/sdd : -a exit,always ...
>
> The on-login event would simply watch the audit trail for any AUDIT_LOGIN
> events. That event can be parsed to get the new auid. If the auid matches
> any rules, then it will load them into the kernel. To remove the rules, we
> could watch for the AUDIT_USER_END event. The only issue is that we would
> need to track how many sessions the user has open and remove the rules only
> when the last session closes out.
>
> The rules for this might look something like this:
> on=login auid=1000 : -a exit,always ...
>
> The question is whether or not this should be done as part of the audit
> daemon or as a plugin for the audit daemon. One advantage of doing this as
> a plugin is that it will keep the audit daemon focused on getting events
> and distributing them. Any programming mistake in the plugin will crash it
> and not the daemon. The tradeoff is that it will get the event slightly
> after auditd sees it. This only matters for the on-login functionality. The
> device and mount events come from an entirely different source. And I'm sure
> that in every case, the program will react faster than a user possibily can
> winning the race evry time.


Although I like this generally, I also have to say that I'm generally 
apprehensive (OK scared) of dynamic rules.

I think also that while your proposal makes sense for some (likely many) 
use cases, usually not ones I deal with. Controlled spaces don't allow 
USB drives and even so, we detect this adequately now. Have plans of 
using USBGuard to augment that stance.

So in that regard, a plugin would be far better for me so I can disable 
it until it fits the model under which I operate. Just my own small, 
non-standard myopic focus. :-)

I also believe that this has more generic application, and you are 
probably using the USB device as an exemplar. There may be other 
reactive rule use cases I would be inclined to reassess.

The login/user_end event watching does pique my interest...besides 
device insertion I imagine there would be some interesting things you 
could do on the fly with that.

But again for me the strength of locking the rules into place is pretty 
big. I can only imagine what an informed pen test crew would do with 
dynamic rule manipulation.

Thanks Steve!

LCB

-- 
Lenny Bruzenak
MagitekLTD

More information about the Linux-audit mailing list