[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Help with setup



Hoping this is the right place to get help configuring auditd(laus) on Red
Hat.

I have 4 high security systems that I need to allow a new employee root
access to. I would like to see everything that is done by root or any other
users/processes, however the only thing I can seem to get it to do is tell
me when my cronjobs, the sa stuff runs and login info.

#############################################
filesets.conf:
# Set of files for which we track read access.
#
set     secret-files = {
        "/etc",
        "/bin",
};
#############################################
filter.conf:
# Various primitive predicates
predicate       is-null         = eq(0);
predicate       is-negative     = lt(0);
predicate       is-system-uid   = lt(100);
predicate       is-lower-1024   = lt(-1024);


#
# Predicate to check open(2) mode: true iff
# (mode & O_ACCMODE) == O_RDONLY
predicate       is-rdonly       = mask(O_ACCMODE, O_RDONLY);

#
# Predicates for testing file type, valid when applied
# to a file type argument
predicate       __isreg         = mask(S_IFMT, S_IFREG);
predicate       __isdir         = mask(S_IFMT, S_IFDIR);
predicate       __ischr         = mask(S_IFMT, S_IFCHR);
predicate       __isblk         = mask(S_IFMT, S_IFBLK);
predicate       __issock        = mask(S_IFMT, S_IFSOCK);
predicate       __islnk         = mask(S_IFMT, S_IFLNK);
predicate       s_isreg         = __isreg(file-mode);
predicate       s_isdir         = __isdir(file-mode);
predicate       s_ischr         = __ischr(file-mode);
predicate       s_isblk         = __isblk(file-mode);
predicate       s_issock        = __issock(file-mode);
predicate       s_islnk         = __islnk(file-mode);
predicate       is-tempdir      = mask(01777, 01777);
predicate       is-world-writable = mask(0666, 0666);

#
# Predicates dealing with process exit code
predicate       if-crash-signal =
                        !mask(__WSIGMASK, 0)
                         && (mask(__WSIGMASK, __WSIGILL) ||
                             mask(__WSIGMASK, __WSIGABRT) ||
                             mask(__WSIGMASK, __WSIGSEGV) ||
                             mask(__WSIGMASK, __WSIGSTKFLT));

#
# Predicates for audit-tags
predicate       is-o-creat              = mask(O_CREAT, O_CREAT);
predicate       is-ipc-remove           = eq(IPC_RMID);
predicate       is-ipc-setperms         = eq(IPC_SET);
predicate       is-ipc-creat            = mask(IPC_CREAT, IPC_CREAT);
predicate       is-auditdevice          = prefix("/dev/audit");
predicate       is-cmd-set-auditid      = eq(AUIOCSETAUDITID);
predicate       is-cmd-set-loginid      = eq(AUIOCLOGIN);

#
# Misc filters
filter          is-root                 = is-null(uid);
filter          is-setuid               = is-null(dumpable);
filter          syscall-failed          = is-negative(result);
filter          syscall-addr-succeed    = is-lower-1024(result);
predicate       is-af-packet            = eq(AF_PACKET);
predicate       is-af-netlink           = eq(AF_NETLINK);
predicate       is-sock-raw             = eq(SOCK_RAW);

#
# Include filesets.
#
include "filesets.conf";


#
# "Secret" files should not be read by everyone -
# we also log read access to these files
#
predicate       is-secret = prefix(@secret-files);

#
# All regular files owned by a system uid are deemed sensitive
#
predicate       is-system-file = is-system-uid(file-uid)
                              && !prefix("/var")
                              && !is-world-writable(file-mode);

#
# Define ioctls we track
#
set             sysconf-ioctls = {
        SIOCADDDLCI,
        SIOCADDMULTI,
        SIOCADDRT,
        SIOCBONDCHANGEACTIVE,
        SIOCBONDENSLAVE,
        SIOCBONDRELEASE,
        SIOCBONDSETHWADDR,
        SIOCDARP,
        SIOCDELDLCI,
        SIOCDELMULTI,
        SIOCDELRT,
        SIOCDIFADDR,
        SIOCDRARP,
        SIOCETHTOOL,
        SIOCGIFBR,
        SIOCSARP,
        SIOCSIFADDR,
        SIOCSIFBR,
        SIOCSIFBRDADDR,
        SIOCSIFDSTADDR,
        SIOCSIFENCAP,
        SIOCSIFFLAGS,
        SIOCSIFHWADDR,
        SIOCSIFHWBROADCAST,
        SIOCSIFLINK,
        SIOCSIFMAP,
        SIOCSIFMEM,
        SIOCSIFMETRIC,
        SIOCSIFMTU,
        SIOCSIFNAME,
        SIOCSIFNETMASK,
        SIOCSIFPFLAGS,
        SIOCSIFSLAVE,
        SIOCSIFTXQLEN,
        SIOCSMIIREG
};
predicate is-sysconf-ioctl      = eq(@sysconf-ioctls);

#
# System calls on file names
#
set     file-ops = {
                        "mkdir", "rmdir", "unlink",
                        "chmod",
                        "chown", "lchown",
                        "chown32", "lchown32",
};

#
# General system related ops
#
set     system-ops = {
                        swapon, swapoff,
                        create_module, init_module, delete_module,
                        sethostname, setdomainname,
};

set     priv-ops = {
                        "setuid",
                        "setuid32",
                        "seteuid",
                        "seteuid32",
                        "setreuid",
                        "setreuid32",
                        "setresuid",
                        "setresuid32",
                        "setgid",
                        "setgid32",
                        "setegid",
                        "setegid32",
                        "setregid",
                        "setregid32",
                        "setresgid",
                        "setresgid32",
                        "setgroups",
                        "setgroups32",
                        "capset",
};

#
# Audit-Tags (only syscall related tags are handled here)
#

# define sets of syscalls related to audit-tags

# System calls for changing file modes
set     mode-ops = {
                        "chmod",
                        "fchmod",
};

# System calls for changing file owner
set     owner-ops = {
                        "chown", "lchown",
                        "chown32", "lchown32",
                        "fchown",
};


# System calls doing file link operations
set     link-ops = {
                        "link", "symlink",
};

# System calls for creating device files
set     mknod-ops = {
                        "mknod",
};

# System calls for opening a file
set     open-ops = {
                        "open",
};
# File renaming
set     rename-ops = {
                        "rename",
};

# File truncation
set     truncate-ops = {
                        "truncate", "truncate64",
                        "ftruncate", "ftruncate64",
};

# Unlink files
set     unlink-ops = {
                        "unlink",
};

# Deletion of directories
set     rmdir-ops = {
                        "rmdir",
};

# Mounting of filesystems
set     mount-ops = {
                        "mount",
};

# Unounting of filesystems
set     umount-ops = {
                        "umount",
                        "umount2"
};

# Changing user (-role)
set     userchange-ops = {
                        "setuid",
                        "setuid32",
                        "seteuid",
                        "seteuid32",
                        "setreuid",
                        "setreuid32",
                        "setresuid",
                        "setresuid32",
};

# Execute another program
set     execute-ops = {
                       "execve",
};

# Set real user-ID
set     realuid-ops = {
                        "setuid",
                        "setuid32",
};

# Set user-IDS in gerneral
set     setuserids-ops = {
                        "setuid",
                        "setuid32",
                        "seteuid",
                        "seteuid32",
                        "setreuid",
                        "setreuid32",
                        "setresuid",
                        "setresuid32",
};

# Set real group-ID
set     realgid-ops = {
                        "setgid",
                        "setgid32",
                        "setgroups",
                        "setgroups32",
};

# Set group-IDs in gerneral
set     setgroups-ops = {
                        "setgid",
                        "setgid32",
                        "setegid",
                        "setegid32",
                        "setregid",
                        "setregid32",
                        "setresgid",
                        "setresgid32",
                        "setgroups",
                        "setgroups32",
};

# Set other kind of privileges (capabilities)
set     privilege-ops = {
                        "capset",
};

# Change system-time
set     timechange-ops = {
                        "adjtimex",
                        "stime",
                        "settimeofday",
};


# bring sets and tags in conjunction

tag "FILE_mode"
syscall @mode-ops = always;

tag "FILE_owner"
syscall @owner-ops = always;

tag "FILE_link"
syscall @link-ops = always;

tag "FILE_mknod"
syscall @mknod-ops = always;

tag "FILE_create"
syscall open = is-o-creat(arg1);
tag "FILE_create"
syscall creat = always;

#tag "FILE_open"
#syscall @open-ops = always;

tag "FILE_open"
syscall @open-ops = (is-system-file(arg0) && !(is-rdonly(arg1)))
                    || is-secret(arg0);

tag "FILE_rename"
syscall @rename-ops = always;

tag "FILE_truncate"
syscall @truncate-ops = always;

tag "FILE_unlink"
syscall @unlink-ops = always;

tag "FS_rmdir"
syscall @rmdir-ops = always;

tag "FS_mount"
syscall @mount-ops = always;

tag "FS_umount"
syscall @umount-ops = always;

# I think owner changing doesnt make much sense
tag "MSG_owner"
syscall msgctl = is-ipc-setperms(arg1);

tag "MSG_mode"
syscall msgctl = is-ipc-setperms(arg1);

tag "MSG_delete"
syscall msgctl = is-ipc-remove(arg1);

tag "MSG_create"
syscall msgget = always;

tag "SEM_owner"
syscall semctl = is-ipc-setperms(arg2);

tag "SEM_mode"
syscall semctl = is-ipc-setperms(arg2);

tag "SEM_delete"
syscall semctl = is-ipc-remove(arg2);

tag "SEM_create"
syscall semget = always;

tag "SHM_owner"
syscall shmctl = is-ipc-setperms(arg1);

tag "SHM_mode"
syscall shmctl = is-ipc-setperms(arg1);

tag "SHM_delete"
syscall shmctl = is-ipc-remove(arg1);

tag "SHM_create"
syscall shmget = always;

tag "PRIV_userchange"
syscall @userchange-ops = always;

tag "PROC_execute"
syscall @execute-ops = always;

tag "PROC_realuid"
syscall @realuid-ops = always;

tag "PROC_auditid"
syscall ioctl = (is-auditdevice(arg0) && is-cmd-set-auditid(arg1));

tag "PROC_loginid"
syscall ioctl = (is-auditdevice(arg0) && is-cmd-set-loginid(arg1));

tag "PROC_setuserids"
syscall @setuserids-ops = always;

tag "PROC_realgid"
syscall @realgid-ops = always;

tag "PROC_setgroups"
syscall @setgroups-ops = always;

tag "PROC_privilege"
syscall @privilege-ops = always;

tag "SYS_timechange"
syscall @timechange-ops = always;


# not required by CAPP
syscall ipc = always;

syscall socket = is-af-packet(arg0) || is-sock-raw(arg1);
syscall ioctl = is-sysconf-ioctl(arg1);

#
# Special filters for process/termination
event process-exit = if-crash-signal(exitcode);

#
# Events we want to log unconditionally:
event network-config = always;
event user-message = always;
event process-login = always;

# Custom
predicate is-root = prefix(/bin);
syscall execve = is-root(arg0);

#############################################


Thanks
Gene Dellinger


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]