All of lore.kernel.org
 help / color / mirror / Atom feed
* Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
@ 2022-05-19 16:45 Alex Triantafillidis (DESIGN LABORATORY INC)
  2022-05-19 19:45 ` Paul Moore
  0 siblings, 1 reply; 6+ messages in thread
From: Alex Triantafillidis (DESIGN LABORATORY INC) @ 2022-05-19 16:45 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 2111 bytes --]

Hello Audit,
I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
I am following  this guide<https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-hipaa.html#xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown>.
Record Events that Modify the System's Discretionary Access Controls   Group contains 13 rules
[ref]<https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-hipaa.html#xccdf_org.ssgproject.content_group_audit_dac_actions>   At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules:

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

    -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows:

-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

    -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

    -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Thing is I get error to any of setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.

bash: setxattr: command not found

Is there any way I can enable the above in Mariner?
Thank you.
AlexT


[-- Attachment #1.2: Type: text/html, Size: 9573 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
  2022-05-19 16:45 Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr Alex Triantafillidis (DESIGN LABORATORY INC)
@ 2022-05-19 19:45 ` Paul Moore
  2022-05-19 20:19   ` [EXTERNAL] " Alex Triantafillidis (DESIGN LABORATORY INC)
  0 siblings, 1 reply; 6+ messages in thread
From: Paul Moore @ 2022-05-19 19:45 UTC (permalink / raw)
  To: Alex Triantafillidis (DESIGN LABORATORY INC); +Cc: linux-audit

On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN
LABORATORY INC) <v-alextri@microsoft.com> wrote:
>
> Hello Audit,
>
> I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
>
> I am following  this guide.
>
> Record Events that Modify the System's Discretionary Access Controls   Group contains 13 rules
>
> [ref]   At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules:
>
> -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
>
> If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows:
>
> -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>
>
> Thing is I get error to any of setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.
>
> bash: setxattr: command not found

Hi Alex,

Are you trying to execute the /etc/audit/audit.rules file directly
(like it was a bash script)?  I'm asking because the error you are
getting makes it look like bash is trying to execute a program named
"setxattr" which isn't going to work; the lines in audit.rules are
intended to be passed as command line arguments to auditctl.  Look at
the augenrules script (repo link below) and the auditctl '-R' option.

* https://github.com/linux-audit/audit-userspace/blob/master/init.d/augenrules

-- 
paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
  2022-05-19 19:45 ` Paul Moore
@ 2022-05-19 20:19   ` Alex Triantafillidis (DESIGN LABORATORY INC)
  2022-05-19 20:43     ` Richard Guy Briggs
  2022-05-19 22:08     ` [EXTERNAL] Re: Help setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr Paul Moore
  0 siblings, 2 replies; 6+ messages in thread
From: Alex Triantafillidis (DESIGN LABORATORY INC) @ 2022-05-19 20:19 UTC (permalink / raw)
  To: Paul Moore; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 4138 bytes --]

HI Paul,
Thank you for the quick response.
I am rusty on linux and I might be confused.
The question is, can I directly call any of those (setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) directly from the command line, or they need to be a part of a script.
Is it possible that those are not installed in cbl-mariner? I would say so but I cannot find a package available in mariner github. The only thing I found similar is “attr”, but using it as a rule instead of lets say setxattr it wont even register as a rule.
Any attempt to run the setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) returns “command not found”
How can I repro those rules without being able to use the commands to modify a file/directory?
Regards.
AlexT


From: Paul Moore <paul@paul-moore.com>
Date: Thursday, May 19, 2022 at 12:46 PM
To: Alex Triantafillidis (DESIGN LABORATORY INC) <v-alextri@microsoft.com>
Cc: linux-audit@redhat.com <linux-audit@redhat.com>
Subject: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
[You don't often get email from paul@paul-moore.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification.]<https://aka.ms/LearnAboutSenderIdentification.%5d>

On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN
LABORATORY INC) <v-alextri@microsoft.com> wrote:
>
> Hello Audit,
>
> I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
>
> I am following  this guide.
>
> Record Events that Modify the System's Discretionary Access Controls   Group contains 13 rules
>
> [ref]   At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules:
>
> -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
>
> If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows:
>
> -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>     -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
>
>
>
> Thing is I get error to any of setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.
>
> bash: setxattr: command not found

Hi Alex,

Are you trying to execute the /etc/audit/audit.rules file directly
(like it was a bash script)?  I'm asking because the error you are
getting makes it look like bash is trying to execute a program named
"setxattr" which isn't going to work; the lines in audit.rules are
intended to be passed as command line arguments to auditctl.  Look at
the augenrules script (repo link below) and the auditctl '-R' option.

* https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-audit%2Faudit-userspace%2Fblob%2Fmaster%2Finit.d%2Faugenrules&amp;data=05%7C01%7Cv-alextri%40microsoft.com%7C23e034c36d7044eee08b08da39d029cf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885864112921204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=EkVjPds%2BN6A4F6R5wUo3q7qhZVkX4smEwwAO7srAjAg%3D&amp;reserved=0

--
paul-moore.com

[-- Attachment #1.2: Type: text/html, Size: 7627 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
  2022-05-19 20:19   ` [EXTERNAL] " Alex Triantafillidis (DESIGN LABORATORY INC)
@ 2022-05-19 20:43     ` Richard Guy Briggs
  2022-05-19 20:50       ` Alex Triantafillidis (DESIGN LABORATORY INC)
  2022-05-19 22:08     ` [EXTERNAL] Re: Help setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr Paul Moore
  1 sibling, 1 reply; 6+ messages in thread
From: Richard Guy Briggs @ 2022-05-19 20:43 UTC (permalink / raw)
  To: Alex Triantafillidis (DESIGN LABORATORY INC); +Cc: linux-audit

On 2022-05-19 20:19, Alex Triantafillidis (DESIGN LABORATORY INC) wrote:
> HI Paul,
> Thank you for the quick response.
> I am rusty on linux and I might be confused.
> The question is, can I directly call any of those (setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) directly from the command line, or they need to be a part of a script.

Not generally.  Scripts can be built to call these syscalls depending on
the scripting environment.

> Is it possible that those are not installed in cbl-mariner? I would say so but I cannot find a package available in mariner github. The only thing I found similar is “attr”, but using it as a rule instead of lets say setxattr it wont even register as a rule.

I doubt it.

> Any attempt to run the setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) returns “command not found”

This is a list of linux kernel (unix? posix?) syscalls.  There are a few
syscalls that have commands named for them, but generally syscalls are
used by applications to manipulate system resources (memory, disk,
networks, cpus, etc...)

> How can I repro those rules without being able to use the commands to modify a file/directory?

Use an existing test suite, write a script or application to exercise
these rules.

> Regards.
> AlexT
> 
> From: Paul Moore <paul@paul-moore.com>
> Date: Thursday, May 19, 2022 at 12:46 PM
> To: Alex Triantafillidis (DESIGN LABORATORY INC) <v-alextri@microsoft.com>
> Cc: linux-audit@redhat.com <linux-audit@redhat.com>
> Subject: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
> [You don't often get email from paul@paul-moore.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification.]<https://aka.ms/LearnAboutSenderIdentification.%5d>
> 
> On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN
> LABORATORY INC) <v-alextri@microsoft.com> wrote:
> >
> > Hello Audit,
> >
> > I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
> >
> > I am following  this guide.
> >
> > Record Events that Modify the System's Discretionary Access Controls   Group contains 13 rules
> >
> > [ref]   At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules:
> >
> > -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> > If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows:
> >
> > -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >
> >
> > Thing is I get error to any of setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.
> >
> > bash: setxattr: command not found
> 
> Hi Alex,
> 
> Are you trying to execute the /etc/audit/audit.rules file directly
> (like it was a bash script)?  I'm asking because the error you are
> getting makes it look like bash is trying to execute a program named
> "setxattr" which isn't going to work; the lines in audit.rules are
> intended to be passed as command line arguments to auditctl.  Look at
> the augenrules script (repo link below) and the auditctl '-R' option.
> 
> * https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-audit%2Faudit-userspace%2Fblob%2Fmaster%2Finit.d%2Faugenrules&amp;data=05%7C01%7Cv-alextri%40microsoft.com%7C23e034c36d7044eee08b08da39d029cf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885864112921204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=EkVjPds%2BN6A4F6R5wUo3q7qhZVkX4smEwwAO7srAjAg%3D&amp;reserved=0
> 
> --
> paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
  2022-05-19 20:43     ` Richard Guy Briggs
@ 2022-05-19 20:50       ` Alex Triantafillidis (DESIGN LABORATORY INC)
  0 siblings, 0 replies; 6+ messages in thread
From: Alex Triantafillidis (DESIGN LABORATORY INC) @ 2022-05-19 20:50 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 6415 bytes --]

Got it.
Thank you.

From: Richard Guy Briggs <rgb@redhat.com>
Date: Thursday, May 19, 2022 at 1:43 PM
To: Alex Triantafillidis (DESIGN LABORATORY INC) <v-alextri@microsoft.com>
Cc: Paul Moore <paul@paul-moore.com>, linux-audit@redhat.com <linux-audit@redhat.com>
Subject: Re: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
[You don't often get email from rgb@redhat.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification.]<https://aka.ms/LearnAboutSenderIdentification.%5d>

On 2022-05-19 20:19, Alex Triantafillidis (DESIGN LABORATORY INC) wrote:
> HI Paul,
> Thank you for the quick response.
> I am rusty on linux and I might be confused.
> The question is, can I directly call any of those (setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) directly from the command line, or they need to be a part of a script.

Not generally.  Scripts can be built to call these syscalls depending on
the scripting environment.

> Is it possible that those are not installed in cbl-mariner? I would say so but I cannot find a package available in mariner github. The only thing I found similar is “attr”, but using it as a rule instead of lets say setxattr it wont even register as a rule.

I doubt it.

> Any attempt to run the setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) returns “command not found”

This is a list of linux kernel (unix? posix?) syscalls.  There are a few
syscalls that have commands named for them, but generally syscalls are
used by applications to manipulate system resources (memory, disk,
networks, cpus, etc...)

> How can I repro those rules without being able to use the commands to modify a file/directory?

Use an existing test suite, write a script or application to exercise
these rules.

> Regards.
> AlexT
>
> From: Paul Moore <paul@paul-moore.com>
> Date: Thursday, May 19, 2022 at 12:46 PM
> To: Alex Triantafillidis (DESIGN LABORATORY INC) <v-alextri@microsoft.com>
> Cc: linux-audit@redhat.com <linux-audit@redhat.com>
> Subject: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
> [You don't often get email from paul@paul-moore.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification.]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification.%255d&amp;data=05%7C01%7Cv-alextri%40microsoft.com%7Ca4dcf39a08044134eccd08da39d83526%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885898022465349%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=N6lDrX1jPrhvSr%2BE4eUzSJi1Ajo13B36m3Dd3MisuZQ%3D&amp;reserved=0><https://aka.ms/LearnAboutSenderIdentification.%5d%3chttps:/nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FLearnAboutSenderIdentification.%255d&amp;data=05%7C01%7Cv-alextri%40microsoft.com%7Ca4dcf39a08044134eccd08da39d83526%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885898022465349%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=N6lDrX1jPrhvSr%2BE4eUzSJi1Ajo13B36m3Dd3MisuZQ%3D&amp;reserved=0%3e>
>
> On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN
> LABORATORY INC) <v-alextri@microsoft.com> wrote:
> >
> > Hello Audit,
> >
> > I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
> >
> > I am following  this guide.
> >
> > Record Events that Modify the System's Discretionary Access Controls   Group contains 13 rules
> >
> > [ref]   At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules:
> >
> > -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> > If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows:
> >
> > -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >
> >
> > Thing is I get error to any of setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.
> >
> > bash: setxattr: command not found
>
> Hi Alex,
>
> Are you trying to execute the /etc/audit/audit.rules file directly
> (like it was a bash script)?  I'm asking because the error you are
> getting makes it look like bash is trying to execute a program named
> "setxattr" which isn't going to work; the lines in audit.rules are
> intended to be passed as command line arguments to auditctl.  Look at
> the augenrules script (repo link below) and the auditctl '-R' option.
>
> * https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-audit%2Faudit-userspace%2Fblob%2Fmaster%2Finit.d%2Faugenrules&amp;data=05%7C01%7Cv-alextri%40microsoft.com%7Ca4dcf39a08044134eccd08da39d83526%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885898022465349%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=P3tbNr6DbnSR57e85sxUzuw3elYVB%2Fi8q%2BGgAWO7eEA%3D&amp;reserved=0
>
> --
> paul-moore.com

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

[-- Attachment #1.2: Type: text/html, Size: 9746 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [EXTERNAL] Re: Help setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr
  2022-05-19 20:19   ` [EXTERNAL] " Alex Triantafillidis (DESIGN LABORATORY INC)
  2022-05-19 20:43     ` Richard Guy Briggs
@ 2022-05-19 22:08     ` Paul Moore
  1 sibling, 0 replies; 6+ messages in thread
From: Paul Moore @ 2022-05-19 22:08 UTC (permalink / raw)
  To: Alex Triantafillidis (DESIGN LABORATORY INC); +Cc: linux-audit

If you are trying to manually load those audit rules into the kernel
you should be able to do so with the following command:

  % auditctl -R /etc/audit/audit.rules

On Thu, May 19, 2022 at 4:19 PM Alex Triantafillidis (DESIGN
LABORATORY INC) <v-alextri@microsoft.com> wrote:
>
> HI Paul,
>
> Thank you for the quick response.
>
> I am rusty on linux and I might be confused.
>
> The question is, can I directly call any of those (setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) directly from the command line, or they need to be a part of a script.
>
> Is it possible that those are not installed in cbl-mariner? I would say so but I cannot find a package available in mariner github. The only thing I found similar is “attr”, but using it as a rule instead of lets say setxattr it wont even register as a rule.
>
> Any attempt to run the setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) returns “command not found”
>
> How can I repro those rules without being able to use the commands to modify a file/directory?
>
> Regards.
>
> AlexT
>
>
>
>
>
> From: Paul Moore <paul@paul-moore.com>
> Date: Thursday, May 19, 2022 at 12:46 PM
> To: Alex Triantafillidis (DESIGN LABORATORY INC) <v-alextri@microsoft.com>
> Cc: linux-audit@redhat.com <linux-audit@redhat.com>
> Subject: [EXTERNAL] Re: Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr
>
> [You don't often get email from paul@paul-moore.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification.]
>
> On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN
> LABORATORY INC) <v-alextri@microsoft.com> wrote:
> >
> > Hello Audit,
> >
> > I am trying to implement a set of rules related to “xattrs” on a MS CBL-Mariner 1.0.
> >
> > I am following  this guide.
> >
> > Record Events that Modify the System's Discretionary Access Controls   Group contains 13 rules
> >
> > [ref]   At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules:
> >
> > -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> > If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows:
> >
> > -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >     -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
> >
> >
> >
> > Thing is I get error to any of setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr.
> >
> > bash: setxattr: command not found
>
> Hi Alex,
>
> Are you trying to execute the /etc/audit/audit.rules file directly
> (like it was a bash script)?  I'm asking because the error you are
> getting makes it look like bash is trying to execute a program named
> "setxattr" which isn't going to work; the lines in audit.rules are
> intended to be passed as command line arguments to auditctl.  Look at
> the augenrules script (repo link below) and the auditctl '-R' option.
>
> * https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-audit%2Faudit-userspace%2Fblob%2Fmaster%2Finit.d%2Faugenrules&amp;data=05%7C01%7Cv-alextri%40microsoft.com%7C23e034c36d7044eee08b08da39d029cf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885864112921204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=EkVjPds%2BN6A4F6R5wUo3q7qhZVkX4smEwwAO7srAjAg%3D&amp;reserved=0
>
> --
> paul-moore.com



-- 
paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2022-05-19 22:08 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-19 16:45 Help setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr Alex Triantafillidis (DESIGN LABORATORY INC)
2022-05-19 19:45 ` Paul Moore
2022-05-19 20:19   ` [EXTERNAL] " Alex Triantafillidis (DESIGN LABORATORY INC)
2022-05-19 20:43     ` Richard Guy Briggs
2022-05-19 20:50       ` Alex Triantafillidis (DESIGN LABORATORY INC)
2022-05-19 22:08     ` [EXTERNAL] Re: Help setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.