Hello, I lost the original, so I'm faking it...
On Thursday, August 11, 2016 6:57:52 PM EDT you wrote: > I'm just working on PCI-DSS compliance with the > xccdf_org.ssgproject.content_profile_pci-dss policy and the RHEL7 security > guide. Having reviewed the report.html file it's advising me about several > recommended auditing issues, the blurb is: > > At a minimum the audit system should collect file permission changes for all > users and root. > > The remediation advice suggests implementing the following audit rule for > 32bit systems: > > -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k > perm_mod > > But I'm confused as to how this achieves what it sets out to do. I should > mention that I'm establishing loginuid by running; cat /proc/<pid>/loginuid That is one way to check it, but if your system is setup correctly, then it all just works. The rule above says log any calls to chown when the loginuid is 1000 or greater and is set. The rule does not cover all cases of chown, though. The pci-dss rules shipped by the audit system are here: https://github.com/linux-audit/audit-userspace/blob/master/rules/30-pci-dss-v31.rules > 1) Most of the loginuids for "logged in users" on my machine have a loginuid > of 4294967295 (which I understand is effectively -1 in other words the > loginuid is not set). How can that be? Do login by the console or sshd? Do you have pam_loginuid.so in all your entry point's pam stack? > Only users that have remotely accessed my machine by > logging in over ssh seem to have a loginuid that would match the above > criteria ie not 4294967295 and above 1000. Is this normal? No. How do other people log in? > And why would I want to exclude auditing for users with a loginuid of > 4294967295? Because that is a daemon. Daemons are the only thing that should be -1. Normally user actions are the only thing of interest. > 2) Furthermore how will the above criteria include the root user? Root is a shared account. Therefore you must not allow root logins. People should login under their normal account and the su or sudo as needed. This way you can trace an administrative action to a specific person. If you allow root logins then you know root did it, but not who was acting as root. > Does this have a loginuid of 1 (root) or something else? If you login as root, its auid is 0. > I'm sure the issue is down to my lack of knowledge, but I'd be grateful of > some education. If you get very interested in audit, there is a mial list justr for it: http://www.redhat.com/mailman/listinfo/linux-audit and the github page has various audit material: https://github.com/linux-audit/audit-documentation/wiki -Steve _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
