perhaps obvious question: auditd and setuid/setgid?
John Jasen
jjasen at gmail.com
Fri Sep 4 17:36:40 UTC 2015
On 09/04/2015 12:20 PM, Steve Grubb wrote:
> On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
>> I was specifically wondering if I was missing the appropriate syscall
>> for the use of setuid or setgid.
>>
> >From a brief examination and test, this appears to not be the case?
>
> There are a couple ways to do this. One is using the find method. However, that
> does not take into account file system based capabilities. In the lab I taught
> this week, the rules generator also included this:
<snipped> filecap examples to add LINUX_CAP executables to audit.rules.
Huh .... I did not think of that.
> But, if all you want is setuid, then you can use a rule like this instead of
> file watches:
>
> -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0
Perfect! Thanks.
For future generations googling for answers, I did the following:
-a always,exit -F arch=x86_64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=x86_64 -S execve -C gid!=egid -F key=execpriv
I didn't pursue the last match, -F euid=0, as there may be cases where
you wish to audit setuid usage, but the binary is not setuid to root.
More information about the Linux-audit
mailing list