From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C6846C77B7F for ; Mon, 15 May 2023 00:32:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1684110720; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=ijn13Q7755eqgge5qGLxkSYwTdFCRYGMzllwjTXqKvE=; b=fmmop/aBT53uKPBWJTY+z1zDyYm46mY/WWd7E54JXb9WXIiF38S7uGPYvk/1IrwFcT5WKh a+AUbABIdjmmtYlojXu06HD2S6s1nejA4qKrRHmgHzBE8AYqGMa+S8LAJoQ4fFs4XjtzfB WU3AWuuJy9K+C4emZhkq7ngxtwJtawY= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-581-VaPdvuRDNFed8dqX08otwQ-1; Sun, 14 May 2023 20:31:57 -0400 X-MC-Unique: VaPdvuRDNFed8dqX08otwQ-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F3D3E1C07554; Mon, 15 May 2023 00:31:55 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0148C1121314; Mon, 15 May 2023 00:31:54 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id BC7811946595; Mon, 15 May 2023 00:31:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 9F837194658C for ; Mon, 15 May 2023 00:31:52 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 73759140E917; Mon, 15 May 2023 00:31:52 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6B4191401C51 for ; Mon, 15 May 2023 00:31:52 +0000 (UTC) Received: from us-smtp-inbound-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4BC1785A588 for ; Mon, 15 May 2023 00:31:52 +0000 (UTC) Received: from mail.s4software.com (mail.s4software.com [54.213.93.65]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-523-_LGEbSzLOx6u8NWM2mYf7A-1; Sun, 14 May 2023 20:31:49 -0400 X-MC-Unique: _LGEbSzLOx6u8NWM2mYf7A-1 Received: from [192.168.1.4] (unknown [47.145.5.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.s4software.com (Postfix) with ESMTPSA id 662A44149B3 for ; Sun, 14 May 2023 17:24:48 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.s4software.com 662A44149B3 Message-ID: Date: Sun, 14 May 2023 17:24:47 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: What STIG audit rule picks up type=SOFTWARE_UPDATE events? To: Linux-audit@redhat.com References: <7622dda18a1544c3bb52052019e34d72@jhuapl.edu> From: Claire Stafford In-Reply-To: X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: s4software.com Content-Language: en-US Content-Type: multipart/mixed; boundary="===============6937560855372674388==" This is a multi-part message in MIME format. --===============6937560855372674388== Content-Type: multipart/alternative; boundary="------------D9leUmUnckr4hSuuewkxtdFt" Content-Language: en-US This is a multi-part message in MIME format. --------------D9leUmUnckr4hSuuewkxtdFt Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Hi, This brings up the question of where I can find the audit events which=20 are generated by rpm?=C2=A0 Also dnf/yum if they directly generate events?= =C2=A0 A=20 very quick scan of the rpm source code doesn't reveal anything. Thanks, Claire Stafford S4Software, Inc. On 5/14/23 14:46, Steven Grubb wrote: > Hello, > > > On Fri, May 12, 2023 at 5:23=E2=80=AFPM Wieprecht, Karen M.=20 > wrote: > > All, > > Do you happen to know which if the standard STIG rules is picking > up =C2=A0=C2=A0type=3DSOFTWARE_UPDATE events on RHEL 7 and 8 ? > > > None. rpm has been altered to produce these much the same as pam=20 > produces login events. It was too tricky to tell the intent to update=20 > vs querying the rpm database. And you have no way to answer the=20 > question about success without originating from inside rpm itself. I=20 > don't think any external rules can meet all requirements imposed by=20 > OSPP, which the STIG audit rules are loosely based on. > > -Steve > > =C2=A0 I=E2=80=99m trying to figure out if we missed one of these rul= es on an > Ubuntu 20 system we are configuring=C2=A0 or if maybe the audit > subsystem implementation on that system doesn=E2=80=99t pick up all o= f the > same record types as we get on our RHEL boxes. I realized when I > started looking at this that it=E2=80=99s not easy to determine which > audit rule is picking up a particular event if it=E2=80=99s not one o= f the > rule that has a key associated with it. > > As a possible alternative,=C2=A0=C2=A0 I ran across a sample audit.ru= les > =C2=A0list here GitHub - Neo23x0/auditd: Best Practice Auditd > Configuration =C2=A0(actual rules > file is here: auditd/audit.rules at master =C2=B7 Neo23x0/auditd =C2= =B7 > GitHub > ) which > included some software management rules that don=E2=80=99t appear to = be > =C2=A0part of the standard =E2=80=9C30-stig.rules=E2=80=9D . > > If the standard STIG rules don=E2=80=99t pick up =C2=A0type=3DSOFTWAR= E_UPDATE > events on Ubuntu20, =C2=A0I might add some of these , so I was hoping > to have a quick sanity check on whether these look like > appropriate alternatives.=C2=A0 Any recommendations or comments > regarding these sample rules would be much appreciated.=C2=A0 Basical= ly > it looks to me like they are just setting watches for anyone > =C2=A0executing these various commands, which shouldn=E2=80=99t cause= to much > noise in the logs except maybe when we are patching which is one > of the continuous monitoring items I =C2=A0need to be able to confirm= . > > Thanks much! > > Karen Wieprecht > > # Software Management > --------------------------------------------------------- > > # RPM (Redhat/CentOS) > > -w /usr/bin/rpm -p x -k software_mgmt > > -w /usr/bin/yum -p x -k software_mgmt > > # DNF (Fedora/RedHat 8/CentOS 8) > > -w /usr/bin/dnf -p x -k software_mgmt > > # YAST/Zypper/RPM (SuSE) > > -w /sbin/yast -p x -k software_mgmt > > -w /sbin/yast2 -p x -k software_mgmt > > -w /bin/rpm -p x -k software_mgmt > > -w /usr/bin/zypper -k software_mgmt > > # DPKG / APT-GET (Debian/Ubuntu) > > -w /usr/bin/dpkg -p x -k software_mgmt > > -w /usr/bin/apt -p x -k software_mgmt > > -w /usr/bin/apt-add-repository -p x -k software_mgmt > > -w /usr/bin/apt-get -p x -k software_mgmt > > -w /usr/bin/aptitude -p x -k software_mgmt > > -w /usr/bin/wajig -p x -k software_mgmt > > -w /usr/bin/snap -p x -k software_mgmt > > # PIP(3) (Python installs) > > -w /usr/bin/pip -p x -k T1072_third_party_software > > -w /usr/local/bin/pip -p x -k T1072_third_party_software > > -w /usr/bin/pip3 -p x -k T1072_third_party_software > > -w /usr/local/bin/pip3 -p x -k T1072_third_party_software > > # npm > > ## T1072 third party software > > ## https://www.npmjs.com > > ## https://docs.npmjs.com/cli/v6/commands/npm-audit > > -w /usr/bin/npm -p x -k T1072_third_party_software > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit --=20 /Claire Stafford/ S4Software, Inc. +1-619-736-9040 www.s4software.com --------------D9leUmUnckr4hSuuewkxtdFt Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi,

This brings up the question of where I can find the audit events which are generated by rpm?=C2=A0 Also dnf/yum if they directly generate events?=C2=A0 A very quick scan of the rpm source code doesn= 't reveal anything.

Thanks,

Claire Stafford
S4Software, Inc.

On 5/14/23 14:46, Steven Grubb wrote:
Hello,


On Fri, May 12, 2023 at 5:23=E2=80=AFPM Wieprecht, Karen M. <Kare= n.Wieprecht@jhuapl.edu> wrote:

All,=C2=A0

=C2=A0

Do you happen to know which if the standard STIG rules is picking up =C2=A0=C2=A0type=3DSOFTWARE_UPDATE events on RHEL 7 and= 8 ?=C2=A0


None. rpm has been altered to produce these much the same as pam produces login events. It was too tricky to tell the intent to update vs querying the rpm database. And you have no way to answer the question about success without originating from inside rpm itself. I don't think any external rules can meet all requirements imposed by OSPP, which the STIG audit rules are loosely based on.

-Steve
=C2=A0

=C2=A0 I=E2=80=99m trying to figur= e out if we missed one of these rules on an Ubuntu 20 system we are configuring=C2=A0 or if maybe the audit subsystem implementation on that system doesn=E2=80=99t pick up a= ll of the same record types as we get on our RHEL boxes.=C2= =A0 I realized when I started looking at this that it=E2=80= =99s not easy to determine which audit rule is picking up a particular event if it=E2=80=99s not one of the rule = that has a key associated with it.=C2=A0 =C2=A0=C2=A0

=C2=A0

As a possible alternative,=C2=A0= =C2=A0 I ran across a sample audit.rules =C2=A0list here GitHub - Neo23x0/auditd: Best Practice Auditd Configuration =C2=A0(actual rules file is here: auditd/aud= it.rules at master =C2=B7 Neo23x0/auditd =C2=B7 GitHub) wh= ich included some software management rules that don=E2=80= =99t appear to be =C2=A0part of the standard =E2=80=9C30-sti= g.rules=E2=80=9D .=C2=A0=C2=A0=C2=A0

=C2=A0

If the standard STIG rules don=E2= =80=99t pick up =C2=A0type=3DSOFTWARE_UPDATE events on Ubuntu20= , =C2=A0I might add some of these , so I was hoping to have a quick sanity check on whether these look like appropriate alternatives.=C2=A0 Any recommendations or comments regarding these sample rules would be much appreciated.=C2=A0 Basically it looks to me like they a= re just setting watches for anyone =C2=A0executing these various commands, which shouldn=E2=80=99t cause to much noise in the logs except maybe when we are patching which is one of the continuous monitoring items I =C2=A0need to be able to confirm.=C2=A0 =C2=A0=C2=A0

=C2=A0

Thanks much!

Karen Wieprecht

=C2=A0

# Software Management ---------------------------------------------------------

=C2=A0

# RPM (Redhat/CentOS)

-w /usr/bin/rpm -p x -k software_mgmt

-w /usr/bin/yum -p x -k software_mgmt

=C2=A0

# DNF (Fedora/RedHat 8/CentOS 8)

-w /usr/bin/dnf -p x -k software_mgmt

=C2=A0

# YAST/Zypper/RPM (SuSE)

-w /sbin/yast -p x -k software_mgmt

-w /sbin/yast2 -p x -k software_mgmt

-w /bin/rpm -p x -k software_mgmt

-w /usr/bin/zypper -k software_mgmt

=C2=A0

# DPKG / APT-GET (Debian/Ubuntu)

-w /usr/bin/dpkg -p x -k software_mgmt

-w /usr/bin/apt -p x -k software_mgmt

-w /usr/bin/apt-add-repository -p x -k software_mgmt

-w /usr/bin/apt-get -p x -k software_mgmt

-w /usr/bin/aptitude -p x -k software_mgmt

-w /usr/bin/wajig -p x -k software_mgmt

-w /usr/bin/snap -p x -k software_mgmt

=C2=A0

# PIP(3) (Python installs)

-w /usr/bin/pip -p x -k T1072_third_party_software

-w /usr/local/bin/pip -p x -k T1072_third_party_software

-w /usr/bin/pip3 -p x -k T1072_third_party_software

-w /usr/local/bin/pip3 -p x -k T1072_third_party_software

=C2=A0

# npm

## T1072 third party software

## https://www.npmjs.c= om

## https://docs.npmjs.= com/cli/v6/commands/npm-audit

-w /usr/bin/npm -p x -k T1072_third_party_software

--
Linux-audit mailing list
Li= nux-audit@redhat.com
https://listman.redhat.com/= mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-=
audit
--
Claire Stafford
S4Software, Inc.
+1-619-736-9040
www.s4software.com
--------------D9leUmUnckr4hSuuewkxtdFt-- --===============6937560855372674388== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit --===============6937560855372674388==--