auditd
auditd copied to clipboard
Neo23x0
Moved binaries in Almalinux 9
Hi there,
Just observing that some binaries in the Alma base install are in different locations, specifically binaries there were normally in /bin and /sbin are now in /usr/bin and /usr/sbin/
These are the ones I found:
sed -i'' 's/\/opt\/filebeat/\/usr\/bin\/filebeat/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/auditctl/\ \/usr\/sbin\/auditctl/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\=\/sbin\/insmod/\=\/usr\/sbin\/insmod/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\=\/sbin\/modprobe/\=\/usr\/sbin\/modprobe/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\=\/sbin\/rmmod/\=\/usr\/sbin\/rmmod/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/su/\ \/usr\/bin\/su/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/shutdown/\ \/usr\/sbin\/shutdown/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/poweroff/\ \/usr\/sbin\/poweroff/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/reboot/\ \/usr\/sbin\/reboot/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/halt/\ \/usr\/sbin\/halt/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/hostname/\ \/usr\/bin\/hostname/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/uname/\ \/usr\/bin\/uname/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/nc/\ \/usr\/bin\/nc/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/iptables/\ \/usr\/sbin\/iptables/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/ip6tables/\ \/usr\/sbin\/ip6tables/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/ifconfig/\ \/usr\/sbin\/ifconfig/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/xtables-nft-multi/\ \/usr\/sbin\/xtables-nft-multi/g' /etc/auditbeat/audit.rules.d/audit.rules
Perhaps it's worthwhile to additionally add /usr entries for every binary line, unless of course this doesn't matter for auditd, I admittedly am not an expert on the topic.
Maybe nevermind? Seems like it's mostly symbolic linking, unless the link selected matters for auditd
for E in $(grep '/bin/\|/sbin/' ./audit.rules | grep -o '\/.*/[[:alnum:]]*'); do
if [ ! -e $E ] && [ -e /usr$E ]; then echo "Diff $E"; fi
if [ -e $E ] && [ ! -e /usr$E ]; then echo "Norm $E"; fi
if [ ! -e $E ] && [ ! -e /usr$E ]; then echo "Nope $E"; fi
if [ -e $E ] && [ -e /usr$E ]; then echo "Both $E"; fi;
done
fyi https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/
I forgot the point, it really doesn't matter for auditd but I still agree with you.
maybe we consider an old system and if we change that with sed (good solution!) then we do not cover anymore old systems... maybe I´m wrong
Why not do both? Although not easy to do with sed, doing by hand is an option
Sam Novak - CISSPhttps://www.credly.com/badges/71ca4350-a4f8-4adc-8792-327e9159e4f7/public_url
Information Security Office – Information Security Office
From: Pierre-Gronau-ndaal @.> Sent: Thursday, July 13, 2023 7:25:48 PM To: Neo23x0/auditd @.> Cc: Novak, Sam @.>; Author @.> Subject: Re: [Neo23x0/auditd] Moved binaries in Almalinux 9 (Issue #98)
This message came from an EXTERNAL source. DO NOT reply or follow links unless this message is trustworthy.
maybe we consider an old system and if we change that with sed (good solution!) then we do not cover anymore old systems... maybe I´m wrong
— Reply to this email directly, view it on GitHubhttps://github.com/Neo23x0/auditd/issues/98#issuecomment-1635086065, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA2KIXCZ7RJNQMJBTASQ2Y3XQCGYZANCNFSM6AAAAAA2EUE7UU. You are receiving this because you authored the thread.Message ID: @.***>
Why not do both? Although not easy to do with sed, doing by hand is an option Sam Novak - CISSPhttps://www.credly.com/badges/71ca4350-a4f8-4adc-8792-327e9159e4f7/public_url Information Security Office – Information Security Office … ________________________________ From: Pierre-Gronau-ndaal @.> Sent: Thursday, July 13, 2023 7:25:48 PM To: Neo23x0/auditd @.> Cc: Novak, Sam @.>; Author @.> Subject: Re: [Neo23x0/auditd] Moved binaries in Almalinux 9 (Issue #98) This message came from an EXTERNAL source. DO NOT reply or follow links unless this message is trustworthy. maybe we consider an old system and if we change that with sed (good solution!) then we do not cover anymore old systems... maybe I´m wrong — Reply to this email directly, view it on GitHub<#98 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA2KIXCZ7RJNQMJBTASQ2Y3XQCGYZANCNFSM6AAAAAA2EUE7UU. You are receiving this because you authored the thread.Message ID: @.***>
Because it doesn't matter.
I´m fine doing both
As I know auditd operates at the inode level and does not directly support the monitoring of symbolic links.
But let's take a look on hard links with the binary su on any RHEL.
There are 2 hard links pointing to the same file so make two rules as you recommended:
-w /bin/su -p x -k rule_1
-w /usr/bin/su -p x -k rule_2
They are hard links with the same inode number, always rule_1 will match first, whatever you do, rule_2 will never be triggered.
So multiple watch rules for the same inode don't make sense and watch rules for symlinks don't make sense at all. Pointless rules won't make the systems faster, neither the config more readable. Please, test it and correct me if I'm wrong!
@novaksam offtopic but AlmaLinux "no longer be held to the line of “bug-for-bug compatibility” with Red Hat" https://almalinux.org/blog/future-of-almalinux/