On 2022-05-19 20:19, Alex Triantafillidis (DESIGN LABORATORY INC) wrote: > HI Paul, > Thank you for the quick response. > I am rusty on linux and I might be confused. > The question is, can I directly call any of those > (setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) directly > from the command line, or they need to be a part of a script.
Not generally. Scripts can be built to call these syscalls depending on the scripting environment. > Is it possible that those are not installed in cbl-mariner? I would say so > but I cannot find a package available in mariner github. The only thing I > found similar is “attr”, but using it as a rule instead of lets say setxattr > it wont even register as a rule. I doubt it. > Any attempt to run the > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) returns > “command not found” This is a list of linux kernel (unix? posix?) syscalls. There are a few syscalls that have commands named for them, but generally syscalls are used by applications to manipulate system resources (memory, disk, networks, cpus, etc...) > How can I repro those rules without being able to use the commands to modify > a file/directory? Use an existing test suite, write a script or application to exercise these rules. > Regards. > AlexT > > From: Paul Moore <[email protected]> > Date: Thursday, May 19, 2022 at 12:46 PM > To: Alex Triantafillidis (DESIGN LABORATORY INC) <[email protected]> > Cc: [email protected] <[email protected]> > Subject: [EXTERNAL] Re: Help > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr > [You don't often get email from [email protected]. Learn why this is > important at > https://aka.ms/LearnAboutSenderIdentification.]<https://aka.ms/LearnAboutSenderIdentification.%5d> > > On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN > LABORATORY INC) <[email protected]> wrote: > > > > Hello Audit, > > > > I am trying to implement a set of rules related to “xattrs” on a MS > > CBL-Mariner 1.0. > > > > I am following this guide. > > > > Record Events that Modify the System's Discretionary Access Controls > > Group contains 13 rules > > > > [ref] At a minimum, the audit system should collect file permission > > changes for all users and root. Note that the "-F arch=b32" lines should be > > present even on a 64 bit system. These commands identify system calls for > > auditing. Even if the system is 64 bit it can still execute 32 bit system > > calls. Additionally, these rules can be configured in a number of ways > > while still achieving the desired effect. An example of this is that the > > "-S" calls could be split up and placed on separate lines, however, this is > > less efficient. Add the following to /etc/audit/audit.rules: > > > > -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F > > auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b32 -S > > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > If your system is 64 bit then these lines should be duplicated and the > > arch=b32 replaced with arch=b64 as follows: > > > > -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F > > auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b64 -S > > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > > > > > Thing is I get error to any of > > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr. > > > > bash: setxattr: command not found > > Hi Alex, > > Are you trying to execute the /etc/audit/audit.rules file directly > (like it was a bash script)? I'm asking because the error you are > getting makes it look like bash is trying to execute a program named > "setxattr" which isn't going to work; the lines in audit.rules are > intended to be passed as command line arguments to auditctl. Look at > the augenrules script (repo link below) and the auditctl '-R' option. > > * > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-audit%2Faudit-userspace%2Fblob%2Fmaster%2Finit.d%2Faugenrules&data=05%7C01%7Cv-alextri%40microsoft.com%7C23e034c36d7044eee08b08da39d029cf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885864112921204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EkVjPds%2BN6A4F6R5wUo3q7qhZVkX4smEwwAO7srAjAg%3D&reserved=0 > > -- > paul-moore.com - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
