I saw some discussions and patches about audit rules order in this list a few months back, and I'm having some problems maintaining the order of a rules file after they are inputted in a RHEL 5.4 box.
My question is: Can we count on the kernel maintaining the order of rules being entered? If so, perhaps those patches weren't included in the RHEL5.4 kernel? I'm attaching my audit.rules file, which renders the following rule listing: [r...@bracer2 ~]# auditctl -l LIST_RULES: exit,never dir=/dev/pts (0x8) perm=rw subj_type=qemu_t LIST_RULES: exit,never dir=/var/run/libvirt/network (0x18) perm=wa subj_type=dnsmasq_t LIST_RULES: exit,never dir=/var/log/libvirt/ (0x11) perm=wa subj_type=logrotate_t LIST_RULES: exit,never dir=/var/cache/libvirt/ (0x13) perm=wa subj_type=initrc_t LIST_RULES: exit,always dir=/etc/libvirt/ (0xd) perm=wa key=virt_libvirt_cfg LIST_RULES: exit,always arch=1073741827 (0x40000003) perm=wxa subj_type=qemu_t obj_type!=qemu_t (0x6) key=virt_qemu_crossdomain LIST_RULES: exit,always arch=3221225534 (0xc000003e) perm=wxa subj_type=qemu_t obj_type!=qemu_t (0x6) key=virt_qemu_crossdomain LIST_RULES: exit,always dir=/var/lib/libvirt/images/ (0x18) perm=wa subj_type!=qemu_t key=virt_image_change LIST_RULES: exit,always obj_type=virt_image_t (0xc) perm=wa subj_type!=qemu_t key=virt_image_change LIST_RULES: exit,always dir=/var/run/libvirt/ (0x11) perm=wa subj_type!=virtd_t key=virt_runtime_change LIST_RULES: exit,always dir=/var/lib/libvirt/ (0x11) perm=wa subj_type!=virtd_t key=virt_runtime_change LIST_RULES: exit,always dir=/var/cache/libvirt/ (0x13) perm=wa subj_type!=qemu_t key=virt_runtime_change LIST_RULES: exit,always dir=/var/log/libvirt/ (0x11) perm=wa subj_type!=virtd_t key=virt_log_change LIST_RULES: exit,never watch=/dev/ksm perm=rw subj_type=qemu_t LIST_RULES: exit,never watch=/dev/ptmx perm=rw subj_type=qemu_t LIST_RULES: exit,always watch=/usr/libexec/qemu-kvm perm=x key=virt_qemu_exec LIST_RULES: exit,always watch=/usr/libexec/qemu-kvm perm=wa key=virt_qemu_change LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/ca-cert.pem perm=wa key=virt_tls_cert LIST_RULES: exit,never watch=/dev/kvm perm=rw subj_type=qemu_t LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/server-cert.pem perm=wa key=virt_tls_cert LIST_RULES: exit,always watch=/etc/pki/libvirt-vnc/server-key.pem subj_type!=qemu_t key=virt_tls_privkey syscall=all LIST_RULES: exit,always watch=/usr/sbin/libvirtd perm=x key=virt_libvirtd_exec LIST_RULES: exit,always watch=/usr/sbin/libvirtd perm=wa key=virt_libvirtd_change LIST_RULES: exit,always watch=/etc/sasl2/libvirt.conf perm=wa key=virt_libvirt_cfg LIST_RULES: exit,always watch=/etc/sysconfig/libvirtd perm=wa key=virt_libvirt_cfg LIST_RULES: exit,always watch=/etc/pki/CA/cacert.pem perm=wa key=virt_tls_cert LIST_RULES: exit,always watch=/etc/pki/libvirt/private/serverkey.pem subj_type!=virtd_t key=virt_tls_privkey syscall=all LIST_RULES: exit,always watch=/etc/pki/libvirt/servercert.pem perm=wa key=virt_tls_cert Thanks, -Klaus -- Klaus Heinrich Kiwi | [email protected] IBM LTC Security Development | http://blog.klauskiwi.com http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog
# First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 8192 ##### ### Don't audit rules - explicit exclusios for more generic rules after # Don't audit Qemu read/writes to necessary devices -a exit,never -F path=/dev/kvm -F perm=rw -F subj_type=qemu_t -a exit,never -F path=/dev/ksm -F perm=rw -F subj_type=qemu_t -a exit,never -F path=/dev/ptmx -F perm=rw -F subj_type=qemu_t -a exit,never -F dir=/dev/pts -F perm=rw -F subj_type=qemu_t # Don't audit dnsmasq writing to libvirt network runtime data -a exit,never -F dir=/var/run/libvirt/network -F perm=wa -F subj_type=dnsmasq_t # Don't audit logrotate writing to logs -a exit,never -F dir=/var/log/libvirt/ -F perm=wa -F subj_type=logrotate_t # Don't audit initrc_t domain writing to temporary storage data -a exit,never -F dir=/var/cache/libvirt/ -F perm=wa -F subj_type=initrc_t ##### ### Audit access attempts to TLS private keys -a exit,always -F path=/etc/pki/libvirt/private/serverkey.pem -F subj_type!=virtd_t -k virt_tls_privkey -a exit,always -F path=/etc/pki/libvirt-vnc/server-key.pem -F subj_type!=qemu_t -k virt_tls_privkey ##### ### Audit attempts at changing libvirt and Qemu certificates (both server and CA) -a exit,always -F path=/etc/pki/CA/cacert.pem -F perm=wa -k virt_tls_cert -a exit,always -F path=/etc/pki/libvirt/servercert.pem -F perm=wa -k virt_tls_cert -a exit,always -F path=/etc/pki/libvirt-vnc/ca-cert.pem -F perm=wa -k virt_tls_cert -a exit,always -F path=/etc/pki/libvirt-vnc/server-cert.pem -F perm=wa -k virt_tls_cert ###### ### Audit any changes to libvirt configuration -a exit,always -F dir=/etc/libvirt/ -F perm=wa -k virt_libvirt_cfg -a exit,always -F path=/etc/sysconfig/libvirtd -F perm=wa -k virt_libvirt_cfg -a exit,always -F path=/etc/sasl2/libvirt.conf -F perm=wa -k virt_libvirt_cfg ###### ### Audit every attempt of qemu_t interaction with another domain, unless not ### explicitly excluded above -a exit,always -F arch=b32 -S all -F perm=wax -F subj_type=qemu_t -F obj_type!=qemu_t -k virt_qemu_crossdomain -a exit,always -F arch=b64 -S all -F perm=wax -F subj_type=qemu_t -F obj_type!=qemu_t -k virt_qemu_crossdomain ###### ### Audit changes to virtual images from outside qemu_t domain -a exit,always -F dir=/var/lib/libvirt/images/ -F perm=wa -F subj_type!=qemu_t -k virt_image_change -a exit,always -F obj_type=virt_image_t -F perm=wa -F subj_type!=qemu_t -k virt_image_change ###### ### Audit changes to qemu/libvirt runtime data (exceptions above) -a exit,always -F dir=/var/run/libvirt/ -F perm=wa -F subj_type!=virtd_t -k virt_runtime_change -a exit,always -F dir=/var/lib/libvirt/ -F perm=wa -F subj_type!=virtd_t -k virt_runtime_change -a exit,always -F dir=/var/cache/libvirt/ -F perm=wa -F subj_type!=qemu_t -k virt_runtime_change ###### ### Audit changes to qemu/libvirt logs (exceptions above) -a exit,always -F dir=/var/log/libvirt/ -F perm=wa -F subj_type!=virtd_t -k virt_log_change ###### ### Audit every libvirtd execution -a exit,always -F path=/usr/sbin/libvirtd -F perm=x -k virt_libvirtd_exec ###### ### Audit every libvirtd executable change -a exit,always -F path=/usr/sbin/libvirtd -F perm=wa -k virt_libvirtd_change ###### ### Audit every Qemu execution -a exit,always -F path=/usr/libexec/qemu-kvm -F perm=x -k virt_qemu_exec ###### ### Audit every Qemu executable change -a exit,always -F path=/usr/libexec/qemu-kvm -F perm=wa -k virt_qemu_change
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
