Auditing rules maintaining order
Klaus Heinrich Kiwi
klausk at linux.vnet.ibm.com
Tue Mar 23 15:08:50 UTC 2010
I saw some discussions and patches about audit rules order in this list
a few months back, and I'm having some problems maintaining the order of
a rules file after they are inputted in a RHEL 5.4 box.
My question is: Can we count on the kernel maintaining the order of
rules being entered? If so, perhaps those patches weren't included in
the RHEL5.4 kernel?
I'm attaching my audit.rules file, which renders the following rule
listing:
[root at bracer2 ~]# auditctl -l
LIST_RULES: exit,never dir=/dev/pts (0x8) perm=rw subj_type=qemu_t
LIST_RULES: exit,never dir=/var/run/libvirt/network (0x18) perm=wa subj_type=dnsmasq_t
LIST_RULES: exit,never dir=/var/log/libvirt/ (0x11) perm=wa subj_type=logrotate_t
LIST_RULES: exit,never dir=/var/cache/libvirt/ (0x13) perm=wa subj_type=initrc_t
LIST_RULES: exit,always dir=/etc/libvirt/ (0xd) perm=wa key=virt_libvirt_cfg
LIST_RULES: exit,always arch=1073741827 (0x40000003) perm=wxa subj_type=qemu_t obj_type!=qemu_t (0x6) key=virt_qemu_crossdomain
LIST_RULES: exit,always arch=3221225534 (0xc000003e) perm=wxa subj_type=qemu_t obj_type!=qemu_t (0x6) key=virt_qemu_crossdomain
LIST_RULES: exit,always dir=/var/lib/libvirt/images/ (0x18) perm=wa subj_type!=qemu_t key=virt_image_change
LIST_RULES: exit,always obj_type=virt_image_t (0xc) perm=wa subj_type!=qemu_t key=virt_image_change
LIST_RULES: exit,always dir=/var/run/libvirt/ (0x11) perm=wa subj_type!=virtd_t key=virt_runtime_change
LIST_RULES: exit,always dir=/var/lib/libvirt/ (0x11) perm=wa subj_type!=virtd_t key=virt_runtime_change
LIST_RULES: exit,always dir=/var/cache/libvirt/ (0x13) perm=wa subj_type!=qemu_t key=virt_runtime_change
LIST_RULES: exit,always dir=/var/log/libvirt/ (0x11) perm=wa subj_type!=virtd_t key=virt_log_change
LIST_RULES: exit,never watch=/dev/ksm perm=rw subj_type=qemu_t
LIST_RULES: exit,never watch=/dev/ptmx perm=rw subj_type=qemu_t
LIST_RULES: exit,always watch=/usr/libexec/qemu-kvm perm=x key=virt_qemu_exec
LIST_RULES: exit,always watch=/usr/libexec/qemu-kvm perm=wa key=virt_qemu_change
LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/ca-cert.pem perm=wa key=virt_tls_cert
LIST_RULES: exit,never watch=/dev/kvm perm=rw subj_type=qemu_t
LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/server-cert.pem perm=wa key=virt_tls_cert
LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/server-key.pem subj_type!=qemu_t key=virt_tls_privkey syscall=all
LIST_RULES: exit,always watch=/usr/sbin/libvirtd perm=x key=virt_libvirtd_exec
LIST_RULES: exit,always watch=/usr/sbin/libvirtd perm=wa key=virt_libvirtd_change
LIST_RULES: exit,always watch=/etc/sasl2/libvirt.conf perm=wa key=virt_libvirt_cfg
LIST_RULES: exit,always watch=/etc/sysconfig/libvirtd perm=wa key=virt_libvirt_cfg
LIST_RULES: exit,always watch=/etc/pki/CA/cacert.pem perm=wa key=virt_tls_cert
LIST_RULES: exit,always watch=/etc/pki/libvirt/private/serverkey.pem subj_type!=virtd_t key=virt_tls_privkey syscall=all
LIST_RULES: exit,always watch=/etc/pki/libvirt/servercert.pem perm=wa key=virt_tls_cert
Thanks,
-Klaus
--
Klaus Heinrich Kiwi | klausk at br.ibm.com
IBM LTC Security Development | http://blog.klauskiwi.com
http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog
-------------- next part --------------
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 8192
#####
### Don't audit rules - explicit exclusios for more generic rules after
# Don't audit Qemu read/writes to necessary devices
-a exit,never -F path=/dev/kvm -F perm=rw -F subj_type=qemu_t
-a exit,never -F path=/dev/ksm -F perm=rw -F subj_type=qemu_t
-a exit,never -F path=/dev/ptmx -F perm=rw -F subj_type=qemu_t
-a exit,never -F dir=/dev/pts -F perm=rw -F subj_type=qemu_t
# Don't audit dnsmasq writing to libvirt network runtime data
-a exit,never -F dir=/var/run/libvirt/network -F perm=wa -F subj_type=dnsmasq_t
# Don't audit logrotate writing to logs
-a exit,never -F dir=/var/log/libvirt/ -F perm=wa -F subj_type=logrotate_t
# Don't audit initrc_t domain writing to temporary storage data
-a exit,never -F dir=/var/cache/libvirt/ -F perm=wa -F subj_type=initrc_t
#####
### Audit access attempts to TLS private keys
-a exit,always -F path=/etc/pki/libvirt/private/serverkey.pem -F subj_type!=virtd_t -k virt_tls_privkey
-a exit,always -F path=/etc/pki/libvirt-vnc/server-key.pem -F subj_type!=qemu_t -k virt_tls_privkey
#####
### Audit attempts at changing libvirt and Qemu certificates (both server and CA)
-a exit,always -F path=/etc/pki/CA/cacert.pem -F perm=wa -k virt_tls_cert
-a exit,always -F path=/etc/pki/libvirt/servercert.pem -F perm=wa -k virt_tls_cert
-a exit,always -F path=/etc/pki/libvirt-vnc/ca-cert.pem -F perm=wa -k virt_tls_cert
-a exit,always -F path=/etc/pki/libvirt-vnc/server-cert.pem -F perm=wa -k virt_tls_cert
######
### Audit any changes to libvirt configuration
-a exit,always -F dir=/etc/libvirt/ -F perm=wa -k virt_libvirt_cfg
-a exit,always -F path=/etc/sysconfig/libvirtd -F perm=wa -k virt_libvirt_cfg
-a exit,always -F path=/etc/sasl2/libvirt.conf -F perm=wa -k virt_libvirt_cfg
######
### Audit every attempt of qemu_t interaction with another domain, unless not
### explicitly excluded above
-a exit,always -F arch=b32 -S all -F perm=wax -F subj_type=qemu_t -F obj_type!=qemu_t -k virt_qemu_crossdomain
-a exit,always -F arch=b64 -S all -F perm=wax -F subj_type=qemu_t -F obj_type!=qemu_t -k virt_qemu_crossdomain
######
### Audit changes to virtual images from outside qemu_t domain
-a exit,always -F dir=/var/lib/libvirt/images/ -F perm=wa -F subj_type!=qemu_t -k virt_image_change
-a exit,always -F obj_type=virt_image_t -F perm=wa -F subj_type!=qemu_t -k virt_image_change
######
### Audit changes to qemu/libvirt runtime data (exceptions above)
-a exit,always -F dir=/var/run/libvirt/ -F perm=wa -F subj_type!=virtd_t -k virt_runtime_change
-a exit,always -F dir=/var/lib/libvirt/ -F perm=wa -F subj_type!=virtd_t -k virt_runtime_change
-a exit,always -F dir=/var/cache/libvirt/ -F perm=wa -F subj_type!=qemu_t -k virt_runtime_change
######
### Audit changes to qemu/libvirt logs (exceptions above)
-a exit,always -F dir=/var/log/libvirt/ -F perm=wa -F subj_type!=virtd_t -k virt_log_change
######
### Audit every libvirtd execution
-a exit,always -F path=/usr/sbin/libvirtd -F perm=x -k virt_libvirtd_exec
######
### Audit every libvirtd executable change
-a exit,always -F path=/usr/sbin/libvirtd -F perm=wa -k virt_libvirtd_change
######
### Audit every Qemu execution
-a exit,always -F path=/usr/libexec/qemu-kvm -F perm=x -k virt_qemu_exec
######
### Audit every Qemu executable change
-a exit,always -F path=/usr/libexec/qemu-kvm -F perm=wa -k virt_qemu_change
More information about the Linux-audit
mailing list