On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN LABORATORY INC) <[email protected]> wrote: > > Hello Audit, > > I am trying to implement a set of rules related to “xattrs” on a MS > CBL-Mariner 1.0. > > I am following this guide. > > Record Events that Modify the System's Discretionary Access Controls Group > contains 13 rules > > [ref] At a minimum, the audit system should collect file permission changes > for all users and root. Note that the "-F arch=b32" lines should be present > even on a 64 bit system. These commands identify system calls for auditing. > Even if the system is 64 bit it can still execute 32 bit system calls. > Additionally, these rules can be configured in a number of ways while still > achieving the desired effect. An example of this is that the "-S" calls could > be split up and placed on separate lines, however, this is less efficient. > Add the following to /etc/audit/audit.rules: > > -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F > auid!=unset -F key=perm_mod > > -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 > -F auid!=unset -F key=perm_mod > > -a always,exit -F arch=b32 -S > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F > auid>=1000 -F auid!=unset -F key=perm_mod > > If your system is 64 bit then these lines should be duplicated and the > arch=b32 replaced with arch=b64 as follows: > > -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F > auid!=unset -F key=perm_mod > > -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 > -F auid!=unset -F key=perm_mod > > -a always,exit -F arch=b64 -S > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F > auid>=1000 -F auid!=unset -F key=perm_mod > > > > Thing is I get error to any of > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr. > > bash: setxattr: command not found
Hi Alex, Are you trying to execute the /etc/audit/audit.rules file directly (like it was a bash script)? I'm asking because the error you are getting makes it look like bash is trying to execute a program named "setxattr" which isn't going to work; the lines in audit.rules are intended to be passed as command line arguments to auditctl. Look at the augenrules script (repo link below) and the auditctl '-R' option. * https://github.com/linux-audit/audit-userspace/blob/master/init.d/augenrules -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
