Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error in audit.rules #2

Open
lennartkoopmann opened this issue Sep 13, 2018 · 3 comments
Open

Error in audit.rules #2

lennartkoopmann opened this issue Sep 13, 2018 · 3 comments
Assignees
@bfuzzy
Labels
bug Something isn't working

Comments

@lennartkoopmann
Copy link

I'm getting this, when trying to apply a copy of the rules files:

-F unknown field: uid
There was an error in line 18 of /etc/audit/audit.rules
Error sending add rule data request (No such file or directory)
There was an error in line 83 of /etc/audit/audit.rules

The two offending lines are:

-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts

Not sure about the problem with the uid, but the "No such file or directory" makes sense, because I don't have /usr/libexec/openssh/ssh-keysign.

Commenting out those two lines worked for me. I suspect that this is related to my Linux distribution and version? If so, we should probably add a note about supported distros (or which distros the rules file has been tested on) to the README.

I'm on auditd v2.8.2 and here are my OS details:

NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
bfuzzy added a commit that referenced this issue Sep 14, 2018
@bfuzzy
Update auditd-attack.rules
d79abc7 
Commenting out the affected lines from issue: #2
@bfuzzy
Copy link
Owner

bfuzzy commented Sep 14, 2018

@lennartkoopmann Thank you for noting this issue! I went ahead and commented out those affected rules in the ruleset until I get a chance to tinker with things.

And, you are most correct about establishing what flavors this has been tested on. I've been testing individual rules on Ubuntu 16, and an older version of Fedora. I need to put together a process and get updated / latest "greatest" and test the ruleset from there. It might just be a matter of creating separate rulesets across multiple different flavors of Linux and putting out rulesets based off those findings.

Time is pretty tight for me at the moment, but I am going to leave this issue open and will put updates in here related to my progress.

Thank you again! 👍

@bfuzzy bfuzzy added the bug Something isn't working label Sep 14, 2018
@bfuzzy bfuzzy self-assigned this Sep 14, 2018
@lennartkoopmann
Copy link
Author

Thanks! I'm running this against Ubuntu Server 18.04 and Ubuntu (Workstation) 18.04 and hade to make a few adjustments. Adjusting exclusions for Firefox cache etc, too.

Happy to help with this going forward!

@bfuzzy
Copy link
Owner

bfuzzy commented Sep 14, 2018

Submit a pull! I'm always open to other people's ideas and thoughts!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bfuzzy bfuzzy

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lennartkoopmann @bfuzzy