Discussion:
auditd rule error
Joshua Ammons
2018-06-11 12:39:26 UTC
Permalink
On a server running RHEL 7.2 the audit rules fail to load due to an error on this rule:

-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
From what I have found it seems "exe" may not be a valid field on this specific O.S. - is this correct? Does anyone have any recommendations on how to track elevated privileges for all RHEL 6/7 systems?
Steve Grubb
2018-06-11 14:27:32 UTC
Permalink
Post by Joshua Ammons
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F
key=10.2.5.b-elevated-privs-session
From what I have found it seems "exe" may not be a valid field on this
specific O.S. - is this correct?
That might have been targeted for the 7.4 kernel.
Post by Joshua Ammons
Does anyone have any recommendations on how to track elevated privileges
for all RHEL 6/7 systems?
The exe field is used for what we call audit by executable. This is for when
you want to zero in on a particular program performing some action like
calling accept. If you simply want notification that an application was
invoked, the you would just setup a watch for execute.

-a always,exit -F path=/usr/bin/su -F perm=x -F key=10.2.5.b-elevated-privs-
session

That should work across RHEL 6 & 7. Also, you will get events from pam as the
user authenticates and starts the session. So, you should be able to find
those with this search:

ausearch --start today -x /usr/bin/su -m USER_START -w -i

-Steve
Joshua Ammons
2018-06-11 14:49:49 UTC
Permalink
Perfect, thanks so much Steve.

Joshua Ammons Senior SIEM Engineer, Cybersecurity
Global Business Services
Office 479.204.4472 | Mobile 479.595.2291
***@walmart.com

Walmart 
805 Moberly Ln
Bentonville, AR  72716
Save money. Live better.



-----Original Message-----
From: Steve Grubb [mailto:***@redhat.com]
Sent: Monday, June 11, 2018 9:28 AM
To: linux-***@redhat.com
Cc: Joshua Ammons <***@walmart.com>
Subject: EXT: Re: auditd rule error
Post by Joshua Ammons
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F
key=10.2.5.b-elevated-privs-session
From what I have found it seems "exe" may not be a valid field on this
specific O.S. - is this correct?
That might have been targeted for the 7.4 kernel.
Post by Joshua Ammons
Does anyone have any recommendations on how to track elevated
privileges for all RHEL 6/7 systems?
The exe field is used for what we call audit by executable. This is for when you want to zero in on a particular program performing some action like calling accept. If you simply want notification that an application was invoked, the you would just setup a watch for execute.

-a always,exit -F path=/usr/bin/su -F perm=x -F key=10.2.5.b-elevated-privs- session

That should work across RHEL 6 & 7. Also, you will get events from pam as the user authenticates and starts the session. So, you should be able to find those with this search:

ausearch --start today -x /usr/bin/su -m USER_START -w -i

-Steve

Loading...