From mboxrd@z Thu Jan  1 00:00:00 1970
From: "warron.french" <warron.french@gmail.com>
Subject: Fwd: Syscalls to use
Date: Wed, 26 Oct 2016 20:16:20 +0000
Message-ID: <CAJdJdQ=Hp-W2m5hquRRzOteW5bskFmNHh6snh+hc+96fomVa-Q@mail.gmail.com>
References: <CAJdJdQkE_TiJNVyecYfCT819gWANDNYQpr3wT0UHs16MQWOd+w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3394498150845360923=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAJdJdQkE_TiJNVyecYfCT819gWANDNYQpr3wT0UHs16MQWOd+w@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============3394498150845360923==
Content-Type: multipart/alternative; boundary=001a11479f905c2705053fca4c44

--001a11479f905c2705053fca4c44
Content-Type: text/plain; charset=UTF-8

Steve, would you mind giving me a little more guidance on this?

Is there anything more specific you can suggest?

I don't want to provide a false sense of security to my IA people.
--------------------------
Warron French


---------- Forwarded message ----------
From: warron.french <warron.french@gmail.com>
Date: Tue, Oct 11, 2016 at 2:58 PM
Subject: Syscalls to use
To: linux-audit@redhat.com


I apologize, but I am not sure how to go about determining the appropriate
syscalls to use for various audit goals.

I know that recently I learned to use the ausyscall --dump command to list
the ausyscalls; but apparently I mis-understood/interpreted the purpose of
1 or 2 of the syscalls and had to be corrected (thanks Steve).

Anyway, my organization has a goal to audit several things; of which I know
how to manage most, for examples:


   1. File & Object


   - Creation (Success/Failure)                                   |  w
   - Access (Success/Failure)                                    |  r
   - Deletion (Success/Failure)                                   |  w
   - Content Modification (Success/Failure)                 |  a
   - Permission Modification (Success/Failure)            |  a
   - Ownership Modification (Success/Failure)             |  a

For these I would have used a watch (*-w*) rule and set the -p flags to *r,
w* or *a* as shown above.  From what I understand though, correct me if I
am wrong Steve, we should be getting away from the watch rules and move
towards Syscalls and using *-F path=/path/to/file*, or
*-F path=/path/to/several_files/*   -- is this correct, both for RHEL6 and
RHEL7?

Also, I need to audit (Success/Failure) for the following sort of things:

*Authentications*
Logons
Logoffs


*Writes/downloads to external devices/media*
*Uploads from external devices/media *(
*such as DvD, thumbdrive, etc)*

*User & Group* *events*
User:  Creation, deletion, Modification, suspending/locking
Group/Role:  Creation, deletion, modification

*Use of Privileged/Special Rights events* (
*such as sudo, su, etc..)*

*Printing to a print-device*


*Printing to a file*
Thanks in advance for any steering someone could provide to get me moving
in the correct direction.

--------------------------
Warron French

--001a11479f905c2705053fca4c44
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Steve, would you mind giving me a little more gu=
idance on this?<br><br></div>Is there anything more specific you can sugges=
t?=C2=A0 <br><br></div>I don&#39;t want to provide a false sense of securit=
y to my IA people.<br clear=3D"all"><div><div><div><div><div class=3D"gmail=
_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr">-----------=
---------------<br><font color=3D"#000099" size=3D"4">Warron French<br><fon=
t size=3D"4"><font size=3D"4"><font size=3D"4"><br></font></font></font></f=
ont></div></div></div>
<br><div class=3D"gmail_quote">---------- Forwarded message ----------<br>F=
rom: <b class=3D"gmail_sendername">warron.french</b> <span dir=3D"ltr">&lt;=
<a href=3D"mailto:warron.french@gmail.com">warron.french@gmail.com</a>&gt;<=
/span><br>Date: Tue, Oct 11, 2016 at 2:58 PM<br>Subject: Syscalls to use<br=
>To: <a href=3D"mailto:linux-audit@redhat.com">linux-audit@redhat.com</a><b=
r><br><br><div dir=3D"ltr"><div><div><div><div><div>I apologize, but I am n=
ot sure how to go about determining the appropriate syscalls to use for var=
ious audit goals.<br><br></div>I know that recently I learned to use the au=
syscall --dump command to list the ausyscalls; but apparently I mis-underst=
ood/interpreted the purpose of 1 or 2 of the syscalls and had to be correct=
ed (thanks Steve).<br><br></div>Anyway, my organization has a goal to audit=
 several things; of which I know how to manage most, for examples:<br><br><=
ol><li>File &amp; Object</li></ol><ul><li>Creation (Success/Failure)=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wb=
r>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 w<br></li><l=
i>Access (Success/Failure)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 |=C2=A0 r<br></li><li><span class=3D"m_35927923480860221=
54m_-102827351259328000gmail-">Deletion</span> (Success/Failure)=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 w<br></li><li><=
span class=3D"m_3592792348086022154m_-102827351259328000gmail-">Content Mod=
ification</span> (Success/Failure)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0<wbr>=C2=A0=C2=A0=C2=A0 |=C2=A0 a<br=
></li><li><span class=3D"m_3592792348086022154m_-102827351259328000gmail-">=
Permission Modification </span>(Success/Failure)=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 a<br></li><li>Ownership Mod=
ification (Success/Failure)=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 a<br></li></ul></div>For these I would hav=
e used a watch (<i><b>-w</b></i>) rule and set the -p flags to <b>r, w</b> =
or <b>a</b> as shown above.=C2=A0 From what I understand though, correct me=
 if I am wrong Steve, we should be getting away from the watch rules and mo=
ve towards Syscalls and using <b>-F path=3D/path/to/file</b>, or<br><b>-F p=
ath=3D/path/to/several_files/</b>=C2=A0=C2=A0 -- is this correct, both for =
RHEL6 and RHEL7?<br><br></div>Also, I need to audit  (Success/Failure) for =
the following sort of things:<br></div><div><b><font color=3D"#ff0000">Auth=
entications<br></font></b></div><div><span style=3D"color:rgb(0,0,255)">Log=
ons<br></span></div><div><font color=3D"#ff0000"><span style=3D"color:rgb(0=
,0,255)">Logoffs</span><br><br></font></div><div><font color=3D"#ff0000"><b=
>Writes/downloads to external devices/media<br></b></font></div><div><font =
color=3D"#ff0000"><b>Uploads from external devices/media </b>(<i>such as Dv=
D, thumbdrive, etc)<br></i></font></div><div><font color=3D"#ff0000"><b><br=
>User &amp; Group</b> <b>events</b><br></font></div><div><div><div><div><di=
v><div><div><span style=3D"color:rgb(0,0,255)">User:=C2=A0 Creation, deleti=
on, Modification, suspending/locking<br></span></div><div><span style=3D"co=
lor:rgb(0,0,255)">Group/Role:=C2=A0 Creation, deletion, modification<br><br=
></span></div><div><span style=3D"color:rgb(0,0,255)"><b><font color=3D"#ff=
0000">Use of Privileged/Special Rights events</font></b><font color=3D"#ff0=
000"> (<i>such as sudo, su, etc..)<br></i></font></span></div><div><span st=
yle=3D"color:rgb(0,0,255)"><font color=3D"#ff0000"><b>Printing to a print-d=
evice<br></b></font></span></div><div><span style=3D"color:rgb(0,0,255)"><f=
ont color=3D"#ff0000"><b>Printing to a file<br><br></b></font></span></div>=
<div><span style=3D"color:rgb(0,0,255)"><font color=3D"#ff0000"><span style=
=3D"color:rgb(0,0,0)">Thanks in advance for any steering someone could prov=
ide to get me moving in the correct direction.</span><b><br></b></font></sp=
an></div><div><br clear=3D"all"><div><div class=3D"m_3592792348086022154m_-=
102827351259328000gmail_signature"><div dir=3D"ltr">-----------------------=
---<br><font color=3D"#000099" size=3D"4">Warron French<br><font size=3D"4"=
><font size=3D"4"><font size=3D"4"><br></font></font></font></font></div></=
div></div>
</div></div></div></div></div></div></div></div>
</div><br></div></div></div></div>

--001a11479f905c2705053fca4c44--


--===============3394498150845360923==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3394498150845360923==--