* httpd auid = -1
@ 2020-07-30 17:54 Todd Heberlein
2020-07-30 18:29 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Todd Heberlein @ 2020-07-30 17:54 UTC (permalink / raw)
To: Linux-audit
I’ve noticed that the httpd process on a CentOS 7.7 system I am working with is running with an Audit ID of -1. Example ID values are:
auid=4294967295
uid=48
gid=48
...
So if use the standard filter "-F auid!=-1” in the audit rules I do not see httpd activity.
Is this common?
How do I change the auid to something else, so I can capture the httpd activity in the audit log?
Example audit line:
type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2 success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1 ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" key=(null)
Thanks,
Todd
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: httpd auid = -1
2020-07-30 17:54 httpd auid = -1 Todd Heberlein
@ 2020-07-30 18:29 ` Steve Grubb
2020-07-30 18:47 ` Todd Heberlein
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2020-07-30 18:29 UTC (permalink / raw)
To: linux-audit; +Cc: Linux-audit
On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
> with is running with an Audit ID of -1. Example ID values are:
>
> auid=4294967295
> uid=48
> gid=48
> ...
>
> So if use the standard filter "-F auid!=-1” in the audit rules I do not see
> httpd activity.
>
> Is this common?
Yes, this is common. Most people are interested in the actions that people
take on the machine rather than normal system functioning.
> How do I change the auid to something else, so I can capture the httpd
> activity in the audit log?
A couple of ways.
1) remove the auid!=-1. That will get you all daemons.
2) Use audit by executable rules:
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec
-Steve
> Example audit line:
>
> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd" key=(null)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: httpd auid = -1
2020-07-30 18:29 ` Steve Grubb
@ 2020-07-30 18:47 ` Todd Heberlein
2020-07-30 21:41 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Todd Heberlein @ 2020-07-30 18:47 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Thanks!
This has some interesting implications regarding attackers coming in through a vulnerability in an organization's web services. I’ll have to compare what relevant information I can capture in the audit logs vs. what is captured in web server logs.
Todd
> On Jul 30, 2020, at 11:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
>> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
>> with is running with an Audit ID of -1. Example ID values are:
>>
>> auid=4294967295
>> uid=48
>> gid=48
>> ...
>>
>> So if use the standard filter "-F auid!=-1” in the audit rules I do not see
>> httpd activity.
>>
>> Is this common?
>
> Yes, this is common. Most people are interested in the actions that people
> take on the machine rather than normal system functioning.
>
>> How do I change the auid to something else, so I can capture the httpd
>> activity in the audit log?
>
> A couple of ways.
> 1) remove the auid!=-1. That will get you all daemons.
> 2) Use audit by executable rules:
> -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec
>
> -Steve
>
>> Example audit line:
>>
>> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
>> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
>> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
>> exe="/usr/sbin/httpd" key=(null)
>
>
>
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: httpd auid = -1
2020-07-30 18:47 ` Todd Heberlein
@ 2020-07-30 21:41 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2020-07-30 21:41 UTC (permalink / raw)
To: Todd Heberlein; +Cc: linux-audit
On Thursday, July 30, 2020 2:47:05 PM EDT Todd Heberlein wrote:
> Thanks!
>
> This has some interesting implications regarding attackers coming in
> through a vulnerability in an organization's web services. I’ll have to
> compare what relevant information I can capture in the audit logs vs. what
> is captured in web server logs.
The audit rules are designed to common criteria, STIG, PCI-DS, etc. To date,
no one has articulated any rules that need to be written against any server.
The rule naming scheme recognizes that may be a possibility and set aside
rules that start with 50- specifically for server rules. But with some many
daemons, where to start? And what to monitor?
If you are thinking about intrusion detection, then I have been working on
that problem for a while. There are specific rules that detect specific
actions. But unless you've thought of everything, there is always a hole.
Once they get inside, they probably want to do recon to see what they have to
work with.
-a always,exit -F perm=x -F path=/usr/bin/uname -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/rpm -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/yum -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/dnf -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/w -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/who -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/whoami -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/id -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/netstat -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/ss -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/route -F key=ids-recon
...etc.
But then they might want to use a tool downloaded to escalate. You might be
able to detect them making it executable:
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/home -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/home -F a2&0111 -F filetype=file
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/tmp -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/tmp -F a2&0111 -F filetype=file
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/var/tmp -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/var/tmp -F a2&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/dev/shm -F a1&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/dev/shm -F a2&0111 -F
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
There's a lot of rules to add. And this will get noisy because many system
scripts do things that look like recon. Update looks like mkexec.
What I'd recommend is also looking at something like fapolicyd to prevent
execution of any downloaded tools. That will give a bigger signal to noise
ratio that trying to craft some audit rules. Because ultimately, audit can
tell you something was executed. It can't tell you the software doesn't
belong on the system.
-Steve
> > On Jul 30, 2020, at 11:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> >
> > On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
> >> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
> >>
> >> with is running with an Audit ID of -1. Example ID values are:
> >> auid=4294967295
> >> uid=48
> >> gid=48
> >> ...
> >>
> >> So if use the standard filter "-F auid!=-1” in the audit rules I do not
> >> see httpd activity.
> >>
> >> Is this common?
> >
> > Yes, this is common. Most people are interested in the actions that
> > people
> > take on the machine rather than normal system functioning.
> >
> >> How do I change the auid to something else, so I can capture the httpd
> >> activity in the audit log?
> >
> > A couple of ways.
> > 1) remove the auid!=-1. That will get you all daemons.
> > 2) Use audit by executable rules:
> > -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F
> > key=httpd-exec
> >
> > -Steve
> >
> >> Example audit line:
> >>
> >> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
> >> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720
> >> items=1
> >> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> >> fsuid=48
> >> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> >> exe="/usr/sbin/httpd" key=(null)
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-30 21:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-30 17:54 httpd auid = -1 Todd Heberlein
2020-07-30 18:29 ` Steve Grubb
2020-07-30 18:47 ` Todd Heberlein
2020-07-30 21:41 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).