Hello, On Fri, Jan 5, 2018 at 6:00 PM, Paige, David B CTR USARMY ICOE (US) < [email protected]> wrote:
> This check and some related ones require auditing for all users and root. > The suggested line includes these elements: > > -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F > auid>=500 -F auid!=4294967295 -k delete > > Should this check include "-F auid=0" to properly audit the root user? > IIRC the motivation why "-F auid=0" was omitted at the time when writing these audit rules for SSG it is / was as follows -- you don't need to audit actions of root user (they need to be trusted). IOW there is just one user, able to act as root, and that one should / needs to be trusted. If root user account is shared between multiple users (and therefore you truly need to audit root account), you would have more troubles at the system (because would actually deny the traceability / mapping of performed actions back to the user, who performed these actions). In such case even having audit log entry, you couldn't tell which of the users sharing the root account performed the particular action. That's why "-F auid=0" argument doesn't need to be present in those rules. If you need them, there's something wrong with the design how your system allows to use the 'root' user account. > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > HTH, Jan -- Jan iankko Lieskovsky
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
