Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: Todd Heberlein <todd_heberlein@mac.com>
Cc: linux-audit@redhat.com
Subject: Re: httpd auid = -1
Date: Thu, 30 Jul 2020 17:41:13 -0400
Message-ID: <1705434.8GvrW9sroV@x2> (raw)
In-Reply-To: <87773DC0-7C77-470D-8E13-ED8C217D4C0E@mac.com>

On Thursday, July 30, 2020 2:47:05 PM EDT Todd Heberlein wrote:
> Thanks!
> 
> This has some interesting implications regarding attackers coming in
> through a vulnerability in an organization's web services. I’ll have to
> compare what relevant information I can capture in the audit logs vs. what
> is captured in web server logs.

The audit rules are designed to common criteria, STIG, PCI-DS, etc. To date, 
no one has articulated any rules that need to be written against any server. 
The rule naming scheme recognizes that may be a possibility and set aside 
rules that start with 50- specifically for server rules. But with some many 
daemons, where to start? And what to monitor?

If you are thinking about intrusion detection, then I have been working on 
that problem for a while. There are specific rules that detect specific 
actions. But unless you've thought of everything, there is always a hole.

Once they get inside, they probably want to do recon to see what they have to 
work with.

-a always,exit -F perm=x -F path=/usr/bin/uname -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/rpm -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/yum -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/dnf -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/w -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/who -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/whoami -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/id -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/netstat -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/ss -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/route -F key=ids-recon
...etc. 

But then they might want to use a tool downloaded to escalate. You might be 
able to detect them making it executable:

-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/home -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/home -F a2&0111 -F filetype=file 
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/tmp -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/tmp -F a2&0111 -F filetype=file 
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/var/tmp -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/var/tmp -F a2&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/dev/shm -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/dev/shm -F a2&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec

There's a lot of rules to add. And this will get noisy because many system 
scripts do things that look like recon. Update looks like mkexec.

What I'd recommend is also looking at something like fapolicyd to prevent 
execution of any downloaded tools. That will give a bigger signal to noise 
ratio that trying to craft some audit rules. Because ultimately, audit can 
tell you something was executed. It can't tell you the software doesn't 
belong on the system.

-Steve

> > On Jul 30, 2020, at 11:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > 
> > On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
> >> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
> >> 
> >> with is running with an Audit ID of -1. Example ID values are:
> >>        auid=4294967295
> >>        uid=48
> >>        gid=48
> >>        ...
> >> 
> >> So if use the standard filter "-F auid!=-1” in the audit rules I do not
> >> see httpd activity.
> >> 
> >> Is this common?
> > 
> > Yes, this is common. Most people are interested in the actions that
> > people
> > take on the machine rather than normal system functioning.
> > 
> >> How do I change the auid to something else, so I can capture the httpd
> >> activity in the audit log?
> > 
> > A couple of ways.
> > 1) remove the auid!=-1. That will get you all daemons.
> > 2) Use audit by executable rules:
> > -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F
> > key=httpd-exec
> > 
> > -Steve
> > 
> >> Example audit line:
> >> 
> >> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
> >> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720
> >> items=1
> >> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> >> fsuid=48
> >> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> >> exe="/usr/sbin/httpd" key=(null)





--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

      reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30 17:54 Todd Heberlein
2020-07-30 18:29 ` Steve Grubb
2020-07-30 18:47   ` Todd Heberlein
2020-07-30 21:41     ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1705434.8GvrW9sroV@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=todd_heberlein@mac.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git