Prateek Kumar Nischal12/17/2020, 4:59 PM
field in the syscall audit record to determine if the event was intended for writing, eg
Example this record was emitted by auditd and has a2 field as
arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7ffcabc35875 a2=O_RDONLY a3=0x0 items=1 ppid=10846 pid=11679 auid=... exe=/bin/cat key=sys_bin
. This one was emitted by osquery
a2 = 0x441 which is
arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=557f5aeb2b90 a2=441 a3=1b6 items=2 ppid=2516 pid=2517 auid=... exe="/bin/bash" key="test"
showing the intent of writing to a file (using tee)
so the false positive rate might make the writability determination useless.
Prateek Kumar Nischal12/18/2020, 10:23 PM
can implement a FIM rule by
man 8 auditctl
This translates to
auditctl -w /etc -p rwxa -k key
which means it’s going to look at all the syscalls that try to do something with the path prefix /etc, (it’s recursive). An excerpt from the
-a always,exit -S all -F path=/etc -k key
flag in the man page.
The read & write syscalls are omitted from this set since they would overwhelm the logs. But rather for reads or writes, the open flags are looked at to see what permission was requested.
syscall and nothing else when trying to write something into a file..