Discussion:
ANOM_ROOT_TRANS
Maupertuis Philippe
2018-10-02 11:43:04 UTC
Permalink
Hi,
According to the Redhat 7 security guide ANOM_ROOT_TRANS is triggered when a user becomes root.
It seems that using sudo doesn't trigger this event.
I would like to know how this event is triggered.
There are also several ANOM_ types that I can't see generated.
Is there a document describing from where these event would come.

Philippe

!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
Steve Grubb
2018-10-02 16:56:17 UTC
Permalink
Post by Maupertuis Philippe
According to the Redhat 7 security guide ANOM_ROOT_TRANS is triggered when
a user becomes root. It seems that using sudo doesn't trigger this event.
I would like to know how this event is triggered.
Looking at the blame view of libaudit.h on github, this was imported as far
back as 1.7.4 over 10 years ago. Back then, work was being done around
prelude IDS and feeding it with events for correlation and escalation. That
work was mothballed when prelude upstream became inactive. Prelude support
has also been removed from audit-3.0 when it gets released.
Post by Maupertuis Philippe
There are also several ANOM_ types that I can't see generated.
Is there a document describing from where these event would come.
The event types in libaudit.h are not 100% supported. Some were supported and
are now not in use. (Can't remove them since you really might run across the
event in a heterogenous network.) Many in the ANOM and RESP categories are
placeholders for future use. The description is accurate wrt the intended
use. At the moment nothing I know of is sending that event. But the roadmap
for audit 3.1 has a mention for a basic IDS capability. That might be when
ANOM and RESP categories get better supported. I wouldn't expect sudo or su
to send these.

-Steve

Loading...