Remove rules which don't work on Ubuntu 12.04.3

[samjsharpe]

ssharpe@ qa-jump-1:~$ sudo service auditd restart

    Restarting audit daemon auditd Error sending add rule data request (Invalid argument)
    There was an error in line 33 of /etc/audit/audit.rules
    [ OK ]

https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500

This seems to imply that the syscall table is out of sync between Precise and the kernel installed by Ubuntu with 12.04.3

The syscalls are provided by the linux-libc-dev package:
http://packages.ubuntu.com/search?keywords=linux-libc-dev

There is no installable package for Precise I can find which has a matching syscall table to the lts-raring kernel. ARRGGHHH.

[samjsharpe]

Attached commit removes the audit-rules which don't work on Ubuntu 12.04.3

Whether this is merged is up for discussion, but I thought it would be helpful as a form of documentation.

Auditing we lose:

• creation of device files
• mounting and unmounting devices
• changing the time
• changing the hostname
• running commands as root
• failures to access critical elements

[samjsharpe]

NB: Don't forget when merging to tag and push a new version to the forge!

[philandstuff]

if we're making this 12.04.3-specific we should be loud in the README about this fact.

but yes, having it not work on 12.04.3 is bad and wrong and should be fixed.

[samjsharpe]

We tried rebuilding the Raring packages for auditd against precise with the raring kernel:

ssharpe@ qa-jump-2:~$ dpkg -l | grep audit
iU  audispd-plugins                  1:2.2.2-1ubuntu4                  Plugins for the audit event dispatcher
iU  auditd                           1:2.2.2-1ubuntu4                  User space tools for security auditing
ii  libaudit-common                  1:2.2.2-1ubuntu4                  Dynamic library for security auditing - common files
ii  libaudit1                        1:2.2.2-1ubuntu4                  Dynamic library for security auditing
ii  libauparse0                      1:2.2.2-1ubuntu4                  Dynamic library for parsing security auditing

With those packages and this config, the audit system works. That seems like a sledgehammer solution to the problem though.

## managed by puppet
## gov.uk auditd rules, amended for hmrc

## Remove any existing rules
-D

## Buffer Size
## Feel free to increase this if the machine panic's
-b 8192

## Failure Mode
## Possible values are 0 (silent), 1 (printk, print a failure message),
## and 2 (panic, halt the system).
-f 1

## Audit the audit logs.
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog

## Auditd configuration
## modifications to audit configuration that occur while the audit
## collection functions are operating.
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig

## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

## special files
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

## Mount operations
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount

## changes to the time
##
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time

## Use stunnel
-w /usr/sbin/stunnel -p x -k stunnel

## cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron

## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd

## monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification

#Monitor for use of tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

## login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login

## network configuration
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

## system startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init

## library search paths
-w /etc/ld.so.conf -p wa -k libpath

## local time zone
-w /etc/localtime -p wa -k localtime

## kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl

## modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe

## pam configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa  -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam

## GDS specific secrets
-w /etc/puppet/ssl -p wa -k puppet_ssl

## postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail

## ssh configuration
-w /etc/ssh/sshd_config -k sshd

## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname

## changes to issue
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue

## this was to noisy currently.
# log all commands executed by an effective id of 0 aka root.
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

## Capture all failures to access on critical elements
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess

## Monitor for use of process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc

## Monitor usage of commands to change power state
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power

## Make the configuration immutable
#-e 2

[philandstuff]

-S options seems to work for me in a vagrant box on 12.04.4...

[samjsharpe]

Is that a typo? - 12.04.4 wasn't supposed to be released until Feb 6th. https://wiki.ubuntu.com/PrecisePangolin/ReleaseSchedule

[philandstuff]

it's what I got when I used http://files.vagrantup.com/precise64.box

[samjsharpe]

Curiouser and Curiouser - what's the kernel version?

[samjsharpe]

So I unpacked that box and it's got linux-image-3.2.0-30 installed. That indicates that it was probably built by taking 12.04.2 media or earlier and then running apt-get update - if you install directly from 12.04.3 media, you get linux-generic-lts-raring installed instead.

[philandstuff]

ah ok thanks. I tried another box with 3.8.0-29 and got the error. :(

[philandstuff]

so the latest comment on the launchpad bug suggests that the problem is that -a entry,always is no longer a valid argument, and instead you need to use -a exit,always. Interestingly, @samjsharpe's diff for this PR uses entry rules, but his comment above where he got it working against a recompiled auditd uses exit rules.

Just tried on my XPS13 running 12.04.4 with kernel 3.8.0-35-generic, and entry rules get rejected but exit rules seem ok. Here's an example of the mknod rule firing:

root@helmholtz:/var/log/audit# mknod /tmp/foo b 3 13
root@helmholtz:/var/log/audit# tail -n4 audit.log 
type=SYSCALL msg=audit(1391729347.994:567): arch=c000003e syscall=133 *snip* comm="mknod" exe="/bin/mknod" key="specialfiles"
type=CWD msg=audit(1391729347.994:567):  cwd="/var/log/audit"
type=PATH msg=audit(1391729347.994:567): item=0 name="/tmp/" inode=7864321 dev=08:03 mode=041777 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1391729347.994:567): item=1 name="/tmp/foo" inode=7872250 dev=08:03 mode=060644 ouid=0 ogid=0 rdev=03:0d

don't understand the syscall number in the above output, as far as I can tell 133 == fchdir, not mknod, but it seems to be capturing the right event otherwise.

cc @gga @maxamg

[rjw1]

is this still a bug. do we still care given improvements to the module since?

[samjsharpe]

I'm with Phil - I was wrong to claim this is a bug (although the package might have handled this better). exit rules are the right way to fix this.