Versions Compared

Version Old Version 1 New Version Current
Changes made by

Joseph Osborne

Joseph Osborne

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There are two control types pertaining to the Linux Auditing System. These rules are only for adding / changing audit rules which typically live in /etc/audit/rules.d/audit.rules .

rule:file system

Designator for <Type> field specifically for creating audit rules for file modification and execution of userland binaries. {SETUID_PROG_PATH} to be used solely for locating binaries that may be in non-standard locations in userland /bin , /usr/bin , /usr/centrify/bin

Expand
titleIn this case, su may not always be in /usr/bin so the rule may require customization per environment:
Code Block
languagexml
<Group>
  <GroupId>V-230412</GroupId>
  <GroupTitle>SRG-OS-000062-GPOS-00031</GroupTitle>
  <RuleId>SV-230412r627750_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-08-030190</RuleVersion>
  <RuleTitle>Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.</RuleTitle>
  <Where>Auditing System</Where>
  <Applied>[{SETUID_PROG_PATH} = find /usr/bin -xdev -type f -name su]</Applied>
  <Type>rule:File system[-a always,exit -F path={SETUID_PROG_PATH} -F perm=x  -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change]</Type>
  <Value>TRUE</Value>
  <Ignore>case, space</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>

rule:system call

Designator for <Type> field for system library or binary calls which require arch elements. This typically would include binaries installed via package subsystems (apt/deb or yum/rpm.)

Expand
titleThis rule has multiple parts referring to arch=b32 and arch=b64 for system calls setting file attributes:
Code Block
languagexml
<Group>
  <GroupId>V-230413 Part 1 of 4</GroupId>
  <GroupTitle>SRG-OS-000062-GPOS-00031</GroupTitle>
  <RuleId>SV-230413r810463_rule</RuleId>
  <Severity>CAT II</Severity>
  <RuleVersion>RHEL-08-030200</RuleVersion>
  <RuleTitle>The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.</RuleTitle>
  <Where>Auditing System</Where>
  <Applied>"xattr"</Applied>
  <Type>rule:system call</Type>
  <Value>-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod</Value>
  <Ignore>case,space</Ignore>
  <IgnoreReason></IgnoreReason>
</Group>