audit su - access

audit su - access

[Maria Tsiolakki]

[-- Attachment #1.1: Type: text/plain, Size: 422 bytes --]

Hello,

We have setup the audit log on a Redhat linux 7.3 machine
We have setup various rules, so far successfully. Our last requirement 
is to have audit log, when a user execute the su - or su - root, or sudo su
I write the following rule , but it does not work
-a always,exit -S su -F auid>=200 -F auid!=4294967295 -F key=su-execution
How can I audit  log the execution of the su command?

Best regards
Maria

-- 

**


[-- Attachment #1.2: Type: text/html, Size: 22516 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit su - access

[Steve Grubb]

Hello,

On Fri, 21 Apr 2017 16:00:54 +0300
Maria Tsiolakki <tmaria@cs.ucy.ac.cy> wrote:
> We have setup the audit log on a Redhat linux 7.3 machine
> We have setup various rules, so far successfully. Our last
> requirement is to have audit log, when a user execute the su - or su
> - root, or sudo su I write the following rule , but it does not work
> -a always,exit -S su

This ^^^ is the problem. The -S switch is for system calls. To see a
list of system calls you can run "ausyscall --dump". Su is a
program and not a syscall. So, you would place a watch on it like this:

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=200 -F
auid!=4294967295 -F key=su-execution

-Steve

> -F auid>=200 -F auid!=4294967295 -F
> key=su-execution How can I audit  log the execution of the su command?
> 
> Best regards
> Maria
> 

Re: audit su - access

[Ed Christiansen MS]

[-- Attachment #1.1: Type: text/plain, Size: 1799 bytes --]

you can set noexec as a mount option for /tmp in /etc/fstab, but also 
realize that if a non-privileged user copies the su executable, it will 
have permissions and ownership appropriate for that user only.

On 4/23/2017 10:22 AM, Maria Tsiolakki wrote:
> Hello,
>
> Many thanks for your answer. I will try your suggestion but what if a
> user makes a copy of the su executable to let's say under /tmp and
> execute /tmp/su . Will this be audited using the rule you suggest?
>
> Best regards
> Maria
>
>
>
> Sent from my Samsung device
>
>
> -------- Original message --------
> From: Steve Grubb <sgrubb@redhat.com>
> Date: 23/04/2017 11:48 (GMT+02:00)
> To: Maria Tsiolakki <tmaria@cs.ucy.ac.cy>
> Cc: linux-audit@redhat.com
> Subject: Re: audit su - access
>
> Hello,
>
> On Fri, 21 Apr 2017 16:00:54 +0300
> Maria Tsiolakki <tmaria@cs.ucy.ac.cy> wrote:
>> We have setup the audit log on a Redhat linux 7.3 machine
>> We have setup various rules, so far successfully. Our last
>> requirement is to have audit log, when a user execute the su - or su
>> - root, or sudo su I write the following rule , but it does not work
>> -a always,exit -S su
>
> This ^^^ is the problem. The -S switch is for system calls. To see a
> list of system calls you can run "ausyscall --dump". Su is a
> program and not a syscall. So, you would place a watch on it like this:
>
> -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=200 -F
> auid!=4294967295 -F key=su-execution
>
> -Steve
>
>> -F auid>=200 -F auid!=4294967295 -F
>> key=su-execution How can I audit  log the execution of the su command?
>>
>> Best regards
>> Maria
>>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>


[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4680 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit su - access

[Maria Tsiolakki]

[-- Attachment #1.1: Type: text/plain, Size: 1311 bytes --]


    
Hello,
Many thanks for your answer. I will try your suggestion but what if a user makes a copy of the su executable to let's say under /tmp and execute /tmp/su . Will this be audited using the rule you suggest? 
Best regardsMaria


Sent from my Samsung device

-------- Original message --------
From: Steve Grubb <sgrubb@redhat.com> 
Date: 23/04/2017  11:48  (GMT+02:00) 
To: Maria Tsiolakki <tmaria@cs.ucy.ac.cy> 
Cc: linux-audit@redhat.com 
Subject: Re: audit su - access 

Hello,

On Fri, 21 Apr 2017 16:00:54 +0300
Maria Tsiolakki <tmaria@cs.ucy.ac.cy> wrote:
> We have setup the audit log on a Redhat linux 7.3 machine
> We have setup various rules, so far successfully. Our last
> requirement is to have audit log, when a user execute the su - or su
> - root, or sudo su I write the following rule , but it does not work
> -a always,exit -S su

This ^^^ is the problem. The -S switch is for system calls. To see a
list of system calls you can run "ausyscall --dump". Su is a
program and not a syscall. So, you would place a watch on it like this:

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=200 -F
auid!=4294967295 -F key=su-execution

-Steve

> -F auid>=200 -F auid!=4294967295 -F
> key=su-execution How can I audit  log the execution of the su command?
> 
> Best regards
> Maria
> 


[-- Attachment #1.2: Type: text/html, Size: 1783 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]