Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove rules which don't work on Ubuntu 12.04.3 #1

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
3 participants
@samjsharpe
Copy link
Contributor

commented Dec 10, 2013

ssharpe@ qa-jump-1:~$ sudo service auditd restart

    Restarting audit daemon auditd Error sending add rule data request (Invalid argument)
    There was an error in line 33 of /etc/audit/audit.rules
    [ OK ]

https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500

This seems to imply that the syscall table is out of sync between Precise and the kernel installed by Ubuntu with 12.04.3

The syscalls are provided by the linux-libc-dev package:
http://packages.ubuntu.com/search?keywords=linux-libc-dev

There is no installable package for Precise I can find which has a matching syscall table to the lts-raring kernel. ARRGGHHH.

Remove audit rules which don't work on 12.04.3
```
ssharpe@ qa-jump-1:~$ sudo service auditd restart

    Restarting audit daemon auditd Error sending add rule data request (Invalid argument)
    There was an error in line 33 of /etc/audit/audit.rules
    [ OK ]
```

https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500

This seems to imply that the syscall table is out of sync between Precise
and the kernel installed by Ubuntu with 12.04.3

The syscalls are provided by the linux-libc-dev package:
    http://packages.ubuntu.com/search?keywords=linux-libc-dev

There is no installable package for Precise I can find which has a matching
syscall table to the lts-raring kernel.

Auditing we lose:
 - creation of device files
 - mounting and unmounting devices
 - changing the time
 - changing the hostname
 - running commands as root
 - failures to access critical elements
@samjsharpe

This comment has been minimized.

Copy link
Contributor Author

commented Dec 10, 2013

Attached commit removes the audit-rules which don't work on Ubuntu 12.04.3

Whether this is merged is up for discussion, but I thought it would be helpful as a form of documentation.

Auditing we lose:

  • creation of device files
  • mounting and unmounting devices
  • changing the time
  • changing the hostname
  • running commands as root
  • failures to access critical elements
@samjsharpe

This comment has been minimized.

Copy link
Contributor Author

commented Dec 10, 2013

NB: Don't forget when merging to tag and push a new version to the forge!

@philandstuff

This comment has been minimized.

Copy link
Contributor

commented Dec 10, 2013

if we're making this 12.04.3-specific we should be loud in the README about this fact.

but yes, having it not work on 12.04.3 is bad and wrong and should be fixed.

@samjsharpe

This comment has been minimized.

Copy link
Contributor Author

commented Dec 11, 2013

We tried rebuilding the Raring packages for auditd against precise with the raring kernel:

ssharpe@ qa-jump-2:~$ dpkg -l | grep audit
iU  audispd-plugins                  1:2.2.2-1ubuntu4                  Plugins for the audit event dispatcher
iU  auditd                           1:2.2.2-1ubuntu4                  User space tools for security auditing
ii  libaudit-common                  1:2.2.2-1ubuntu4                  Dynamic library for security auditing - common files
ii  libaudit1                        1:2.2.2-1ubuntu4                  Dynamic library for security auditing
ii  libauparse0                      1:2.2.2-1ubuntu4                  Dynamic library for parsing security auditing

With those packages and this config, the audit system works. That seems like a sledgehammer solution to the problem though.

## managed by puppet
## gov.uk auditd rules, amended for hmrc

## Remove any existing rules
-D

## Buffer Size
## Feel free to increase this if the machine panic's
-b 8192

## Failure Mode
## Possible values are 0 (silent), 1 (printk, print a failure message),
## and 2 (panic, halt the system).
-f 1

## Audit the audit logs.
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog

## Auditd configuration
## modifications to audit configuration that occur while the audit
## collection functions are operating.
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig

## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

## special files
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

## Mount operations
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount

## changes to the time
##
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time

## Use stunnel
-w /usr/sbin/stunnel -p x -k stunnel

## cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron

## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd

## monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification

#Monitor for use of tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

## login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login

## network configuration
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

## system startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init

## library search paths
-w /etc/ld.so.conf -p wa -k libpath

## local time zone
-w /etc/localtime -p wa -k localtime

## kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl

## modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe

## pam configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa  -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam

## GDS specific secrets
-w /etc/puppet/ssl -p wa -k puppet_ssl

## postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail

## ssh configuration
-w /etc/ssh/sshd_config -k sshd

## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname

## changes to issue
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue

## this was to noisy currently.
# log all commands executed by an effective id of 0 aka root.
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

## Capture all failures to access on critical elements
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess

## Monitor for use of process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc

## Monitor usage of commands to change power state
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power

## Make the configuration immutable
#-e 2
@philandstuff

This comment has been minimized.

Copy link
Contributor

commented Jan 30, 2014

-S options seems to work for me in a vagrant box on 12.04.4...

@samjsharpe

This comment has been minimized.

Copy link
Contributor Author

commented Jan 30, 2014

Is that a typo? - 12.04.4 wasn't supposed to be released until Feb 6th. https://wiki.ubuntu.com/PrecisePangolin/ReleaseSchedule

@philandstuff

This comment has been minimized.

Copy link
Contributor

commented Jan 30, 2014

it's what I got when I used http://files.vagrantup.com/precise64.box

@samjsharpe

This comment has been minimized.

Copy link
Contributor Author

commented Jan 30, 2014

Curiouser and Curiouser - what's the kernel version?

@samjsharpe

This comment has been minimized.

Copy link
Contributor Author

commented Jan 30, 2014

So I unpacked that box and it's got linux-image-3.2.0-30 installed. That indicates that it was probably built by taking 12.04.2 media or earlier and then running apt-get update - if you install directly from 12.04.3 media, you get linux-generic-lts-raring installed instead.

@philandstuff

This comment has been minimized.

Copy link
Contributor

commented Jan 30, 2014

ah ok thanks. I tried another box with 3.8.0-29 and got the error. :(

@philandstuff

This comment has been minimized.

Copy link
Contributor

commented Feb 6, 2014

so the latest comment on the launchpad bug suggests that the problem is that -a entry,always is no longer a valid argument, and instead you need to use -a exit,always. Interestingly, @samjsharpe's diff for this PR uses entry rules, but his comment above where he got it working against a recompiled auditd uses exit rules.

Just tried on my XPS13 running 12.04.4 with kernel 3.8.0-35-generic, and entry rules get rejected but exit rules seem ok. Here's an example of the mknod rule firing:

root@helmholtz:/var/log/audit# mknod /tmp/foo b 3 13
root@helmholtz:/var/log/audit# tail -n4 audit.log 
type=SYSCALL msg=audit(1391729347.994:567): arch=c000003e syscall=133 *snip* comm="mknod" exe="/bin/mknod" key="specialfiles"
type=CWD msg=audit(1391729347.994:567):  cwd="/var/log/audit"
type=PATH msg=audit(1391729347.994:567): item=0 name="/tmp/" inode=7864321 dev=08:03 mode=041777 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1391729347.994:567): item=1 name="/tmp/foo" inode=7872250 dev=08:03 mode=060644 ouid=0 ogid=0 rdev=03:0d

don't understand the syscall number in the above output, as far as I can tell 133 == fchdir, not mknod, but it seems to be capturing the right event otherwise.

cc @gga @maxamg

@rjw1

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2014

is this still a bug. do we still care given improvements to the module since?

@rjw1 rjw1 closed this Apr 17, 2014

@samjsharpe

This comment has been minimized.

Copy link
Contributor Author

commented Apr 20, 2014

I'm with Phil - I was wrong to claim this is a bug (although the package might have handled this better). exit rules are the right way to fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.