Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

Remove rules which don't work on Ubuntu 12.04.3 #1

Closed
wants to merge 1 commit into from

Conversation

samjsharpe
Copy link
Contributor

ssharpe@ qa-jump-1:~$ sudo service auditd restart

    Restarting audit daemon auditd Error sending add rule data request (Invalid argument)
    There was an error in line 33 of /etc/audit/audit.rules
    [ OK ]

https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500

This seems to imply that the syscall table is out of sync between Precise and the kernel installed by Ubuntu with 12.04.3

The syscalls are provided by the linux-libc-dev package:
http://packages.ubuntu.com/search?keywords=linux-libc-dev

There is no installable package for Precise I can find which has a matching syscall table to the lts-raring kernel. ARRGGHHH.

```
ssharpe@ qa-jump-1:~$ sudo service auditd restart

    Restarting audit daemon auditd Error sending add rule data request (Invalid argument)
    There was an error in line 33 of /etc/audit/audit.rules
    [ OK ]
```

https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1158500

This seems to imply that the syscall table is out of sync between Precise
and the kernel installed by Ubuntu with 12.04.3

The syscalls are provided by the linux-libc-dev package:
    http://packages.ubuntu.com/search?keywords=linux-libc-dev

There is no installable package for Precise I can find which has a matching
syscall table to the lts-raring kernel.

Auditing we lose:
 - creation of device files
 - mounting and unmounting devices
 - changing the time
 - changing the hostname
 - running commands as root
 - failures to access critical elements
@samjsharpe
Copy link
Contributor Author

Attached commit removes the audit-rules which don't work on Ubuntu 12.04.3

Whether this is merged is up for discussion, but I thought it would be helpful as a form of documentation.

Auditing we lose:

  • creation of device files
  • mounting and unmounting devices
  • changing the time
  • changing the hostname
  • running commands as root
  • failures to access critical elements

@samjsharpe
Copy link
Contributor Author

NB: Don't forget when merging to tag and push a new version to the forge!

@philandstuff
Copy link
Contributor

if we're making this 12.04.3-specific we should be loud in the README about this fact.

but yes, having it not work on 12.04.3 is bad and wrong and should be fixed.

@samjsharpe
Copy link
Contributor Author

We tried rebuilding the Raring packages for auditd against precise with the raring kernel:

ssharpe@ qa-jump-2:~$ dpkg -l | grep audit
iU  audispd-plugins                  1:2.2.2-1ubuntu4                  Plugins for the audit event dispatcher
iU  auditd                           1:2.2.2-1ubuntu4                  User space tools for security auditing
ii  libaudit-common                  1:2.2.2-1ubuntu4                  Dynamic library for security auditing - common files
ii  libaudit1                        1:2.2.2-1ubuntu4                  Dynamic library for security auditing
ii  libauparse0                      1:2.2.2-1ubuntu4                  Dynamic library for parsing security auditing

With those packages and this config, the audit system works. That seems like a sledgehammer solution to the problem though.

## managed by puppet
## gov.uk auditd rules, amended for hmrc

## Remove any existing rules
-D

## Buffer Size
## Feel free to increase this if the machine panic's
-b 8192

## Failure Mode
## Possible values are 0 (silent), 1 (printk, print a failure message),
## and 2 (panic, halt the system).
-f 1

## Audit the audit logs.
## successful and unsuccessful attempts to read information from the
## audit records; all modifications to the audit trail
-w /var/log/audit/ -k auditlog

## Auditd configuration
## modifications to audit configuration that occur while the audit
## collection functions are operating.
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig

## Monitor for use of audit management tools
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

## special files
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

## Mount operations
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount

## changes to the time
##
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time

## Use stunnel
-w /usr/sbin/stunnel -p x -k stunnel

## cron configuration & scheduled jobs
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron

## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd

## monitor usage of passwd
-w /usr/bin/passwd -p x -k passwd_modification

#Monitor for use of tools to change group identifiers
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

## login configuration and information
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login

## network configuration
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

## system startup scripts
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init

## library search paths
-w /etc/ld.so.conf -p wa -k libpath

## local time zone
-w /etc/localtime -p wa -k localtime

## kernel parameters
-w /etc/sysctl.conf -p wa -k sysctl

## modprobe configuration
-w /etc/modprobe.conf -p wa -k modprobe

## pam configuration
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa  -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam

## GDS specific secrets
-w /etc/puppet/ssl -p wa -k puppet_ssl

## postfix configuration
-w /etc/aliases -p wa -k mail
-w /etc/postfix/ -p wa -k mail

## ssh configuration
-w /etc/ssh/sshd_config -k sshd

## changes to hostname
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname

## changes to issue
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue

## this was to noisy currently.
# log all commands executed by an effective id of 0 aka root.
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

## Capture all failures to access on critical elements
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess

## Monitor for use of process ID change (switching accounts) applications
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc

## Monitor usage of commands to change power state
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power

## Make the configuration immutable
#-e 2

@philandstuff
Copy link
Contributor

-S options seems to work for me in a vagrant box on 12.04.4...

@samjsharpe
Copy link
Contributor Author

Is that a typo? - 12.04.4 wasn't supposed to be released until Feb 6th. https://wiki.ubuntu.com/PrecisePangolin/ReleaseSchedule

@philandstuff
Copy link
Contributor

it's what I got when I used http://files.vagrantup.com/precise64.box

@samjsharpe
Copy link
Contributor Author

Curiouser and Curiouser - what's the kernel version?

@samjsharpe
Copy link
Contributor Author

So I unpacked that box and it's got linux-image-3.2.0-30 installed. That indicates that it was probably built by taking 12.04.2 media or earlier and then running apt-get update - if you install directly from 12.04.3 media, you get linux-generic-lts-raring installed instead.

@philandstuff
Copy link
Contributor

ah ok thanks. I tried another box with 3.8.0-29 and got the error. :(

@philandstuff
Copy link
Contributor

so the latest comment on the launchpad bug suggests that the problem is that -a entry,always is no longer a valid argument, and instead you need to use -a exit,always. Interestingly, @samjsharpe's diff for this PR uses entry rules, but his comment above where he got it working against a recompiled auditd uses exit rules.

Just tried on my XPS13 running 12.04.4 with kernel 3.8.0-35-generic, and entry rules get rejected but exit rules seem ok. Here's an example of the mknod rule firing:

root@helmholtz:/var/log/audit# mknod /tmp/foo b 3 13
root@helmholtz:/var/log/audit# tail -n4 audit.log 
type=SYSCALL msg=audit(1391729347.994:567): arch=c000003e syscall=133 *snip* comm="mknod" exe="/bin/mknod" key="specialfiles"
type=CWD msg=audit(1391729347.994:567):  cwd="/var/log/audit"
type=PATH msg=audit(1391729347.994:567): item=0 name="/tmp/" inode=7864321 dev=08:03 mode=041777 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1391729347.994:567): item=1 name="/tmp/foo" inode=7872250 dev=08:03 mode=060644 ouid=0 ogid=0 rdev=03:0d

don't understand the syscall number in the above output, as far as I can tell 133 == fchdir, not mknod, but it seems to be capturing the right event otherwise.

cc @gga @maxamg

@rjw1
Copy link
Contributor

rjw1 commented Apr 17, 2014

is this still a bug. do we still care given improvements to the module since?

@rjw1 rjw1 closed this Apr 17, 2014
@samjsharpe
Copy link
Contributor Author

I'm with Phil - I was wrong to claim this is a bug (although the package might have handled this better). exit rules are the right way to fix this.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants