Skip to content

audit rules not defined in correct format #73

New issue
New issue
Open
Open
audit rules not defined in correct format#73
@jgbradley1

Description

@jgbradley1
jgbradley1
opened on Mar 20, 2022

Problem

The audit rules (/etc/audit/rules.d/audit.rules) that get written by ato-toolkit are formatted in a way that compliance scans will flag them as potential vulnerabilities when they really aren't. This leads to too many unnecessary false-positives when users run automated checks with compliance scanning tools that expect a particular format.

The ato-toolkit produces the following audit rules at /etc/audit/rules.d/audit.rules

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1

-w /var/log/tallylog -p wa -k logins
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/sudo.log -p wa -k priv_actions
-w /var/log/wtmp -p wa -k logins
-w /var/run/utmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /etc/passwd -p wa -k usergroup_modification
-w /etc/group -p wa -k usergroup_modification
-w /etc/gshadow -p wa -k usergroup_modification
-w /etc/shadow -p wa -k usergroup_modification
-w /etc/security/opasswd -p wa -k usergroup_modification
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
-a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S init_module -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S finit_module -k modules
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules
-a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules
-a always,exit -F arch=b64 -S delete_module -F key=modules
-a always,exit -F arch=b32 -S delete_module -F key=modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k module
-w /sbin/fdisk -p x -k fdisk

Solution

Every rule that contains the text auid!=-1 should be replaced with auid!=4294967295. The audit man pages state that -1 and 4294967295 are equivalent but compliance checker tools (i.e. Nessus) don't always respect this.

The STIG benchmark rules (here for example) all state that the rules should be defined with auid!=4294967295 even though they check for the auid!=-1 format with auditctl.

This effects at least the following STIG vulnerability ID's:

V-219238
V-219239
V-219240
V-219241
V-219242
V-219243
V-219244
V-219245
V-219246
V-219247
V-219248
V-219249
V-219250
V-219251
V-219252
V-219253
V-219254
V-219255
V-219256
V-219257
V-219261
V-219262
V-219263
V-219264
V-219265
V-219266
V-219267
V-219268
V-219269
V-219270
V-219271
V-219272
V-219273
V-219274
V-219275
V-219276
V-219277
V-219279
V-219284
V-219285
V-219286
V-219287
V-219288
V-219289
V-219290
V-219293
V-219294
V-219295

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions