Question - Rule Syntax

Question - Rule Syntax

[Bryan Jacobs]

All,

New auditd list member here.  I just started playing around with auditd. 
I was wondering if someone might be kind enough to answer a question I 
have. I am attempting to create a rule that will audit privileged 
commands for UID's greater than 500 but ignore one particular user that 
falls under this rule.  The user I am trying to ignore is the only user 
that should be touching the file.

Below is the rule.

#### BEGIN RULE SNIP ####

## Ensure auditd Collects Information on the Use of Privileged Commands

-a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F
auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged

#### END RULE SNIP ####

Is the rule syntax above correct?  If not how would I audit all users 
with UID above 500 but still ignore one particular user?


Thank you and happy holidays,

-- 
BKJ


----------------------------------------------------
Virus Free -- Scanned By MailSecurity
----------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the author, except where the sender specifically states them to be the views of BBG, Inc.

Re: Question - Rule Syntax

[Trevor Vaughan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm hoping to be told otherwise, but the cleanest and most maintainable way that I've seen to do this is to make two rules.

First Rule: Ignore user 505
Second Rule: Audit everyone

Auditd should stop at the first rule matched. It does add more rules but seems to be the most stable across auditd versions.

Also, that auid!=42... should probably be near the top of your rules since it will get hit the most and I'm assuming that you don't ever want to audit
anonymous accesses to most items.

Trevor

On 12/22/2011 04:19 PM, Bryan Jacobs wrote:
> All,
> 
> New auditd list member here.  I just started playing around with auditd. I was wondering if someone might be kind enough to answer a question I have.
> I am attempting to create a rule that will audit privileged commands for UID's greater than 500 but ignore one particular user that falls under this
> rule.  The user I am trying to ignore is the only user that should be touching the file.
> 
> Below is the rule.
> 
> #### BEGIN RULE SNIP ####
> 
> ## Ensure auditd Collects Information on the Use of Privileged Commands
> 
> -a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F
> auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
> 
> #### END RULE SNIP ####
> 
> Is the rule syntax above correct?  If not how would I audit all users with UID above 500 but still ignore one particular user?
> 
> 
> Thank you and happy holidays,
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJO/HTQAAoJECNCGV1OLcyphzYH/3CayBkrfX8CexuW8SMgCXLs
z+3zwug1DMdz6l4mfrp60TfVGL8scteqOjgHP/1hDp+TNwP2YyXxqAeN+XOAePIU
Gekd3QrOc4bCVhBuHF4719SWkEXQ4Gur1DYLAXO/J9p23dWlT4AE+ehAXonq/F40
quGWuIHCLui8KDvwigrYMr6qZeBbu47leTFvHUakqgDCUwXibR7vXUPHYPuO0A2V
p8sHq535nGzLjB6XLk4PWhRVb/JhXBrCy9iA3ONM1ReT0JaEtB0Liukui6Wbq627
fh7/+kQFXRSB7QGHaFZr+FQp6LkwP+2iqC1JBnVc3/pm58q1DRh46e0m9jvPCDc=
=xLIO
-----END PGP SIGNATURE-----

Re: Question - Rule Syntax

[Bryan Jacobs]

Trevor,

Thank you for the information.  I have not had a chance to test it out yet
but this is what I ended up doing from your adviceŠ.

**** BEGIN SNIP RULES ****
## Ignore the Varonis account (to reduce audit noise)
-a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F auid!=505
-F auid!=4294967295 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/bin/stat -F perm=x -F
auid!=505 -F auid!=4294967295 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_all_accounts -F
perm=x -F auid!=505 -F auid!=4294967295 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_diag.sh -F perm=x
-F auid!=505 -F auid!=4294967295 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_local_accounts -F
perm=x -F auid!=505 -F auid!=4294967295 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_stat -F perm=x -F
auid!=505 -F auid!=4294967295 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/vrns_mond -F perm=x -F
auid!=505 -F auid!=4294967295 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/vrns_statd -F perm=x -F
auid!=505 -F auid!=4294967295 -k privileged
## Apply the Varonis rules to everyone else with UID 500 and above
-a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F auid>=500
-F auid!=4294967295 -F auid!=505 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/bin/stat -F perm=x -F
auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_all_accounts -F
perm=x -F auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_diag.sh -F perm=x
-F auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_local_accounts -F
perm=x -F auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/utils/vrns_stat -F perm=x -F
auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/vrns_mond -F perm=x -F
auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
-a always,exit -F path=/opt/varonis1.6.0106/vrns_statd -F perm=x -F
auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
**** END SNIP RULES ****

Hope this works.



On 12/29/11 9:10 AM, "Trevor Vaughan" <peiriannydd@gmail.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I'm hoping to be told otherwise, but the cleanest and most maintainable
>way that I've seen to do this is to make two rules.
>
>First Rule: Ignore user 505
>Second Rule: Audit everyone
>
>Auditd should stop at the first rule matched. It does add more rules but
>seems to be the most stable across auditd versions.
>
>Also, that auid!=42... should probably be near the top of your rules
>since it will get hit the most and I'm assuming that you don't ever want
>to audit
>anonymous accesses to most items.
>
>Trevor
>
>On 12/22/2011 04:19 PM, Bryan Jacobs wrote:
>> All,
>> 
>> New auditd list member here.  I just started playing around with
>>auditd. I was wondering if someone might be kind enough to answer a
>>question I have.
>> I am attempting to create a rule that will audit privileged commands
>>for UID's greater than 500 but ignore one particular user that falls
>>under this
>> rule.  The user I am trying to ignore is the only user that should be
>>touching the file.
>> 
>> Below is the rule.
>> 
>> #### BEGIN RULE SNIP ####
>> 
>> ## Ensure auditd Collects Information on the Use of Privileged Commands
>> 
>> -a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F
>> auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
>> 
>> #### END RULE SNIP ####
>> 
>> Is the rule syntax above correct?  If not how would I audit all users
>>with UID above 500 but still ignore one particular user?
>> 
>> 
>> Thank you and happy holidays,
>> 
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.11 (GNU/Linux)
>
>iQEcBAEBAgAGBQJO/HTQAAoJECNCGV1OLcyphzYH/3CayBkrfX8CexuW8SMgCXLs
>z+3zwug1DMdz6l4mfrp60TfVGL8scteqOjgHP/1hDp+TNwP2YyXxqAeN+XOAePIU
>Gekd3QrOc4bCVhBuHF4719SWkEXQ4Gur1DYLAXO/J9p23dWlT4AE+ehAXonq/F40
>quGWuIHCLui8KDvwigrYMr6qZeBbu47leTFvHUakqgDCUwXibR7vXUPHYPuO0A2V
>p8sHq535nGzLjB6XLk4PWhRVb/JhXBrCy9iA3ONM1ReT0JaEtB0Liukui6Wbq627
>fh7/+kQFXRSB7QGHaFZr+FQp6LkwP+2iqC1JBnVc3/pm58q1DRh46e0m9jvPCDc=
>=xLIO
>-----END PGP SIGNATURE-----




----------------------------------------------------
Virus Free -- Scanned By MailSecurity
----------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the author, except where the sender specifically states them to be the views of BBG, Inc.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Question - Rule Syntax

[Steve Grubb]

On Thursday, December 22, 2011 04:19:34 PM Bryan Jacobs wrote:
> I am attempting to create a rule that will audit privileged
> commands for UID's greater than 500 but ignore one particular user that
> falls under this rule.  The user I am trying to ignore is the only user
> that should be touching the file.
> 
> Below is the rule.
> 
> #### BEGIN RULE SNIP ####
> 
> ## Ensure auditd Collects Information on the Use of Privileged Commands
> 
> -a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F
> auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged
> 
> #### END RULE SNIP ####
> 
> Is the rule syntax above correct?

This looks correct to me.

-Steve