Prateek Kumar Nischal
12/17/2020, 4:59 PMa2
field in the syscall audit record to determine if the event was intended for writing, eg
arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7ffcabc35875 a2=O_RDONLY a3=0x0 items=1 ppid=10846 pid=11679 auid=... exe=/bin/cat key=sys_bin
Example this record was emitted by auditd and has a2 field as O_RDONLY
.
This one was emitted by osquery
arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=557f5aeb2b90 a2=441 a3=1b6 items=2 ppid=2516 pid=2517 auid=... exe="/bin/bash" key="test"
a2 = 0x441 which is O_WRONLY|O_CREAT|O_APPEND
showing the intent of writing to a file (using tee)theopolis
12/18/2020, 3:35 AMalessandrogario
12/18/2020, 12:01 PMtheopolis
12/18/2020, 2:54 PMopen
so the false positive rate might make the writability determination useless.alessandrogario
12/18/2020, 2:57 PMtheopolis
12/18/2020, 2:57 PMalessandrogario
12/18/2020, 2:58 PMtheopolis
12/18/2020, 2:58 PMalessandrogario
12/18/2020, 2:58 PMtheopolis
12/18/2020, 2:59 PMPrateek Kumar Nischal
12/18/2020, 10:23 PMwrite
syscall.. the man 8 auditctl
can implement a FIM rule by
auditctl -w /etc -p rwxa -k key
This translates to
-a always,exit -S all -F path=/etc -k key
which means it’s going to look at all the syscalls that try to do something with the path prefix /etc, (it’s recursive).
An excerpt from the -p
flag in the man page.
The read & write syscalls are omitted from this set since they would overwhelm the logs. But rather for reads or writes, the open flags are looked at to see what permission was requested.
openat
syscall and nothing else when trying to write something into a file..