Syscalls to use

Syscalls to use

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 1854 bytes --]

I apologize, but I am not sure how to go about determining the appropriate
syscalls to use for various audit goals.

I know that recently I learned to use the ausyscall --dump command to list
the ausyscalls; but apparently I mis-understood/interpreted the purpose of
1 or 2 of the syscalls and had to be corrected (thanks Steve).

Anyway, my organization has a goal to audit several things; of which I know
how to manage most, for examples:


   1. File & Object


   - Creation (Success/Failure)                                   |  w
   - Access (Success/Failure)                                    |  r
   - Deletion (Success/Failure)                                   |  w
   - Content Modification (Success/Failure)                 |  a
   - Permission Modification (Success/Failure)            |  a
   - Ownership Modification (Success/Failure)             |  a

For these I would have used a watch (*-w*) rule and set the -p flags to *r,
w* or *a* as shown above.  From what I understand though, correct me if I
am wrong Steve, we should be getting away from the watch rules and move
towards Syscalls and using *-F path=/path/to/file*, or
*-F path=/path/to/several_files/*   -- is this correct, both for RHEL6 and
RHEL7?

Also, I need to audit (Success/Failure) for the following sort of things:

*Authentications*
Logons
Logoffs


*Writes/downloads to external devices/media*
*Uploads from external devices/media *(
*such as DvD, thumbdrive, etc)*

*User & Group* *events*
User:  Creation, deletion, Modification, suspending/locking
Group/Role:  Creation, deletion, modification

*Use of Privileged/Special Rights events* (
*such as sudo, su, etc..)*

*Printing to a print-device*


*Printing to a file*
Thanks in advance for any steering someone could provide to get me moving
in the correct direction.

--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 3556 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Syscalls to use

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 5427 bytes --]

warron.french <warron.french@gmail.com> wrote:

> Anyway, my organization has a goal to audit several things; of which I
> know how to manage most, for examples:
> ...
>

Hi Warron. Have you looked at the various *.rules files that are shipped
with the audit package? In RHEL/CentOS, you'll see:

~]# ls -1 /usr/share/doc/audit-2.4.1/*rules
> /usr/share/doc/audit-2.4.1/capp.rules
> /usr/share/doc/audit-2.4.1/lspp.rules
> /usr/share/doc/audit-2.4.1/nispom.rules
> /usr/share/doc/audit-2.4.1/stig.rules
>

These files already have example rules to do probably everything you're
trying to do.

In newer versions, e.g., in Fedora, it gets even fancier:

~]# ls /usr/share/doc/audit/rules/
> 10-base-config.rules    32-power-abuse.rules
> 10-no-audit.rules       40-local.rules
> 11-loginuid.rules       41-containers.rules
> 12-cont-fail.rules      42-injection.rules
> 12-ignore-error.rules   43-module-load.rules
> 20-dont-audit.rules     70-einval.rules
> 21-no32bit.rules        71-networking.rules
> 22-ignore-chrony.rules  99-finalize.rules
> 30-nispom.rules         Makefile
> 30-pci-dss-v31.rules    Makefile.am
> 30-stig.rules           Makefile.in
> 31-privileged.rules     README-rules
>

These are also all well-documented examples. I think if you look through
those, you'll find everything you're looking for.


warron.french <warron.french@gmail.com> wrote:

> For these I would have used a watch (*-w*) rule and set the -p flags to *r,
> w* or *a* as shown above.  From what I understand though, correct me if I
> am wrong Steve, we should be getting away from the watch rules and move
> towards Syscalls and using *-F path=/path/to/file*, or
> *-F path=/path/to/several_files/*   -- is this correct, both for RHEL6
> and RHEL7?
>

No. The simple -w syntax isn't going anywhere. My understanding: there's no
performance hit for adding additional simple -w rules; whereas, you DO take
a performance hit for each additional syscall-auditing rule line. Use
watches if you can get away with the restrictive simplicity they offer; use
syscall-rules when you need to.


warron.french <warron.french@gmail.com> wrote:

> Also, I need to audit (Success/Failure) for the following sort of things:
>
> *Authentications*
> Logons
> Logoffs
>

You can see examples of how to handle that in the rules the audit package
ships with, e.g., from nispom:

## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
> ## This is covered by patches to login, gdm, and openssh
> ## Might also want to watch these files if needing extra information
> #-w /var/log/tallylog -p wa -k logins
> #-w /var/run/faillock/ -p wa -k logins
> #-w /var/log/lastlog -p wa -k logins
> #-w /var/log/btmp -p wa -k logins
> #-w /var/run/utmp -p wa -k logins
>

Or from stig:

## (GEN002720-GEN002840: CAT II) (Previously – G100-G106) The SA will
> ## configure the auditing system to audit the following events for all
> ## users and root:
> ##
> ## - Logon (unsuccessful and successful) and logout (successful)
> ##
> ## Handled by pam, sshd, login, and gdm
> ## Might also want to watch these files if needing extra information
> #-w /var/log/tallylog -p wa -k logins
> #-w /var/run/faillock/ -p wa -k logins
> #-w /var/log/lastlog -p wa -k logins
>
> ##- Process and session initiation (unsuccessful and successful)
> ##
> ## The session initiation is audited by pam without any rules needed.
> ## Might also want to watch this file if needing extra information
> #-w /var/run/utmp -p wa -k session
> #-w /var/log/btmp -p wa -k session
> #-w /var/log/wtmp -p wa -k session
>


warron.french <warron.french@gmail.com> wrote:

>
> *Writes/downloads to external devices/media*
> *Uploads from external devices/media *(
> *such as DvD, thumbdrive, etc)*
>

You can audit mount syscalls, but that's not exactly fun on a modern
system. In any case, in stig rules:

##- Export to media (successful)
> ## You have to mount media before using it. You must disable all
> automounting
> ## so that its done manually in order to get the correct user requesting
> the
> ## export
> -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F
> key=export
> -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F
> key=export
>

That said, the above example is assuming root login is disabled (requiring
people login as their own user and su/sudo to root) ... but it's something.
There was some discussion back in April cross-posted between the
linux-audit, linux-usb, and linux-kernel mailing lists (subj: "[RFC] Create
an audit record of USB specific details"). I think the usual approach is to
just disable stuff from BIOS. I could imagine (as a band-aid) adding udev
rules that generate audit events as well but I've never done it.


warron.french <warron.french@gmail.com> wrote:

> *User & Group* *events*
> User:  Creation, deletion, Modification, suspending/locking
> Group/Role:  Creation, deletion, modification
>
> *Use of Privileged/Special Rights events* (*such as sudo, su, etc..)*
>

Yep you'll find that in stig, nispom, etc.


warron.french <warron.french@gmail.com> wrote:

>
> *Printing to a print-device*
> *Printing to a file*
>

I would just completely remove CUPS ... or log use of lp/lpr commands.

Hope this helps get you on the right track.

[-- Attachment #1.2: Type: text/html, Size: 9150 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Fwd: Syscalls to use

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 2254 bytes --]

Steve, would you mind giving me a little more guidance on this?

Is there anything more specific you can suggest?

I don't want to provide a false sense of security to my IA people.
--------------------------
Warron French


---------- Forwarded message ----------
From: warron.french <warron.french@gmail.com>
Date: Tue, Oct 11, 2016 at 2:58 PM
Subject: Syscalls to use
To: linux-audit@redhat.com


I apologize, but I am not sure how to go about determining the appropriate
syscalls to use for various audit goals.

I know that recently I learned to use the ausyscall --dump command to list
the ausyscalls; but apparently I mis-understood/interpreted the purpose of
1 or 2 of the syscalls and had to be corrected (thanks Steve).

Anyway, my organization has a goal to audit several things; of which I know
how to manage most, for examples:


   1. File & Object


   - Creation (Success/Failure)                                   |  w
   - Access (Success/Failure)                                    |  r
   - Deletion (Success/Failure)                                   |  w
   - Content Modification (Success/Failure)                 |  a
   - Permission Modification (Success/Failure)            |  a
   - Ownership Modification (Success/Failure)             |  a

For these I would have used a watch (*-w*) rule and set the -p flags to *r,
w* or *a* as shown above.  From what I understand though, correct me if I
am wrong Steve, we should be getting away from the watch rules and move
towards Syscalls and using *-F path=/path/to/file*, or
*-F path=/path/to/several_files/*   -- is this correct, both for RHEL6 and
RHEL7?

Also, I need to audit (Success/Failure) for the following sort of things:

*Authentications*
Logons
Logoffs


*Writes/downloads to external devices/media*
*Uploads from external devices/media *(
*such as DvD, thumbdrive, etc)*

*User & Group* *events*
User:  Creation, deletion, Modification, suspending/locking
Group/Role:  Creation, deletion, modification

*Use of Privileged/Special Rights events* (
*such as sudo, su, etc..)*

*Printing to a print-device*


*Printing to a file*
Thanks in advance for any steering someone could provide to get me moving
in the correct direction.

--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 4576 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]