If you are trying to manually load those audit rules into the kernel you should be able to do so with the following command:
% auditctl -R /etc/audit/audit.rules On Thu, May 19, 2022 at 4:19 PM Alex Triantafillidis (DESIGN LABORATORY INC) <v-alex...@microsoft.com> wrote: > > HI Paul, > > Thank you for the quick response. > > I am rusty on linux and I might be confused. > > The question is, can I directly call any of those > (setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) directly > from the command line, or they need to be a part of a script. > > Is it possible that those are not installed in cbl-mariner? I would say so > but I cannot find a package available in mariner github. The only thing I > found similar is “attr”, but using it as a rule instead of lets say setxattr > it wont even register as a rule. > > Any attempt to run the > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr) returns > “command not found” > > How can I repro those rules without being able to use the commands to modify > a file/directory? > > Regards. > > AlexT > > > > > > From: Paul Moore <p...@paul-moore.com> > Date: Thursday, May 19, 2022 at 12:46 PM > To: Alex Triantafillidis (DESIGN LABORATORY INC) <v-alex...@microsoft.com> > Cc: linux-audit@redhat.com <linux-audit@redhat.com> > Subject: [EXTERNAL] Re: Help > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr > > [You don't often get email from p...@paul-moore.com. Learn why this is > important at https://aka.ms/LearnAboutSenderIdentification.] > > On Thu, May 19, 2022 at 12:45 PM Alex Triantafillidis (DESIGN > LABORATORY INC) <v-alex...@microsoft.com> wrote: > > > > Hello Audit, > > > > I am trying to implement a set of rules related to “xattrs” on a MS > > CBL-Mariner 1.0. > > > > I am following this guide. > > > > Record Events that Modify the System's Discretionary Access Controls > > Group contains 13 rules > > > > [ref] At a minimum, the audit system should collect file permission > > changes for all users and root. Note that the "-F arch=b32" lines should be > > present even on a 64 bit system. These commands identify system calls for > > auditing. Even if the system is 64 bit it can still execute 32 bit system > > calls. Additionally, these rules can be configured in a number of ways > > while still achieving the desired effect. An example of this is that the > > "-S" calls could be split up and placed on separate lines, however, this is > > less efficient. Add the following to /etc/audit/audit.rules: > > > > -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F > > auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b32 -S > > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > If your system is 64 bit then these lines should be duplicated and the > > arch=b32 replaced with arch=b64 as follows: > > > > -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F > > auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > -a always,exit -F arch=b64 -S > > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F > > auid>=1000 -F auid!=unset -F key=perm_mod > > > > > > > > Thing is I get error to any of > > setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr. > > > > bash: setxattr: command not found > > Hi Alex, > > Are you trying to execute the /etc/audit/audit.rules file directly > (like it was a bash script)? I'm asking because the error you are > getting makes it look like bash is trying to execute a program named > "setxattr" which isn't going to work; the lines in audit.rules are > intended to be passed as command line arguments to auditctl. Look at > the augenrules script (repo link below) and the auditctl '-R' option. > > * > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-audit%2Faudit-userspace%2Fblob%2Fmaster%2Finit.d%2Faugenrules&data=05%7C01%7Cv-alextri%40microsoft.com%7C23e034c36d7044eee08b08da39d029cf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637885864112921204%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EkVjPds%2BN6A4F6R5wUo3q7qhZVkX4smEwwAO7srAjAg%3D&reserved=0 > > -- > paul-moore.com -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
