Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] file_integrity - Monitor ACL and selinux attributes on Linux #36265

Closed
andrewkroh opened this issue Aug 8, 2023 · 3 comments
Closed

[Auditbeat] file_integrity - Monitor ACL and selinux attributes on Linux #36265

andrewkroh opened this issue Aug 8, 2023 · 3 comments
Assignees
@efd6
Labels
Auditbeat enhancement

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Aug 8, 2023
edited

Describe the enhancement:

For the file_integrity module, add support for monitoring and reporting changes to the filesystem extended attributes (xattrs) named security.selinux and system.posix_acl_access. Events will contain the values of these xattrs. If the values change then an event should be reported. Both attributes' values contain a null-terminated string.

Describe a specific use case for the enhancement or feature:

In environments where SELinux is employed then it is useful to monitor file metadata for changes to SELinux labels. A change to labeling can impact security posture.

Similarly in environments where file ACLs are used (e.g. getfacl, setfacl) it is useful to monitor for changes to these ACLs (just like it is useful to monitor permissions in the file mode).

References
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6 efd6 mentioned this issue Aug 14, 2023
Merged
6 tasks
@andrewkroh
Copy link
Member Author

Apparently I was wrong about system.posix_acl_access being a string.

$setfacl -m u:landscape:rw /foo.bar

$ getfacl /foo.bar 
getfacl: Removing leading '/' from absolute path names
# file: foo.bar
# owner: root
# group: root
user::rw-
user:landscape:rw-
group::r--
mask::rw-
other::r--

$ getfattr -n system.posix_acl_access /foo.bar 
getfattr: Removing leading '/' from absolute path names
# file: foo.bar
system.posix_acl_access=0sAgAAAAEABgD/////AgAGAG8AAAAEAAQA/////xAABgD/////IAAEAP////8=

The ACL attribute values are in a canonical, architecture-independent binary format.

@andrewkroh
Copy link
Member Author

Confirming that the security.selinux label is a plain string.

$ sudo chcon -h system_u:object_r:bin_t:s0  /foo.bar 

$ ls -lZ /foo.bar 
-rw-rw-r--+ 1 root root system_u:object_r:bin_t:s0 0 Aug 14 16:49 /foo.bar

$ getfattr -n security.selinux /foo.bar 
# file: foo.bar
security.selinux="system_u:object_r:bin_t:s0"

@efd6 efd6 self-assigned this Aug 17, 2023
@efd6 efd6 closed this as completed Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
Auditbeat enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andrewkroh @elasticmachine @efd6