parameters of command in audit.log

Support for security such as Firewalls and securing linux
Post Reply
Paczkov
Posts: 1
Joined: 2019/04/15 08:24:54

parameters of command in audit.log

Post by Paczkov » 2019/04/15 08:38:16

Hello,

I need help with configuring or understanding auditd service.
My problem is that i do not see parameters of lets say chmod. I see that it was used, but i do not know what was the parameter (i want to search for files where +x permissions was added). Bellow i am presenting chmod log from audit.log. I used chmod 777 on file testtest.sh and i see that log:

type=SYSCALL msg=audit(1555317071.522:85615285): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=9980f0 a2=1ff a3=7ffc0a2bd160 items=1 ppid=3553 pid=6592 auid=1023 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=52335 comm="chmod" exe="/usr/bin/chmod" key="perm_mod"
type=CWD msg=audit(1555317071.522:85615285): cwd="/root"
type=PATH msg=audit(1555317071.522:85615285): item=0 name="testtest.sh" inode=1716 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1555317071.522:85615285): proctitle=63686D6F64003737370074657374746573742E7368


I see command was used but i do not see what permission was granted. At this log i still see old permission under mode=

Could you please advise?

Best Regards!

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: parameters of command in audit.log

Post by aks » 2019/04/18 18:52:21

It's not that hard, here's an example from some time ago:

# Discretionary access control permission modification (unsuccessful and successful use of chown/chmod)
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k permissions

Syscall rules take the general form of:
-a action,list -S syscall -F field=value -k keyname

It's all in the docs, have a read of man audit.rules I think it's pretty clear (albeit long), also RH have some quite (albeit old) docs.

Post Reply