On Thursday, February 13, 2020 11:35:46 AM EST MAUPERTUIS, PHILIPPE wrote: > > Objet : Re: Auditing a program use but not what it is doing > > > > On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE > > > > wrote: > > > Like many, we are using aide and clamav. > > > I woud like to have an audit record when these program are run but no > > > records for what they are doing. I mean, I want to know that clamscan > > > or > > > aide has been launched but not that it checks say /etc/passwd whatever > > > rules could be in place for /etc/passwd > > > > Then all you need to do is place a watch on them. > > > > -a always,exit -F path=path-to-aide -F perm=x -F key=something-ran > > Just to be sure to understand how it works : > If we have two rules in that order : > -a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x -F key=aide_run
The exe option is to audit syscalls by a specific application. For example, you might want to use it to see what IP address and application connects to. -a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash To place a _watch_ on a file, you use the path option with permission of executable. The rule above should be: -a always,exit -F path=/usr/sbin/aide -F perm=x -F key=aide_run There should be other examples like this in the shipped rules. > -a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts This will create an event whenever an application writes to or changes permissions of passwd. Try running adduser or chmod it. > When running aide : > - the first rule produces a message > - the second rule is ignored It would only trigger on a write/permission change. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
