What's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in `auditctl`?

audit centos7 auditd

My server is centos7.6 with auditd 2.8.5

In audit rule, I set:
-a always,exit -F arch=b32 -S adjtimex,settimeofday -F key=time-change
But this rule also record normal ntpd activities,then I tried to revise this rule to: 

-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F subj_type!=ntpd_t  -F auid!=chrony -F auid!=ntp -F auid!=chrony -F auid!=ntp -F key=time-change

Should use auid!=ntp or uid!=ntp? I checked the manual:

Each inter-field equation is anded with each other as well as equations starting with -F to trigger an audit record. There are 2 operators supported - equal, and not equal. Valid fields are: auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid

I am confused, what's the difference between auid, uid, euid, suid, fsuid, obj_uid, gid, egid, sgid, fsgid, obj_gid in auditctl?


The audit manual assumes you are familiar with a POSIX security model and the many types of uids. Read man credentials to get more familiar with that. However, that is incomplete, reference a security guide (such as the RHEL Audit System Reference) for the rest. Notably:

auid

Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - john).

A rule and its exceptions could be written on one line for efficiency. However, I sometimes start with more simpler rules. Easier to understand, and piece together examples.

auditd ships with example rules for auditing time change and ignoring chronyd. Look at /usr/share/doc/audit*/rules/22-ignore-chrony.rules:

## This rule suppresses the time-change event when chrony does time updates
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -Fuid=chrony -F subj_type=chronyd_t
-a never,exit -F arch=b32 -S adjtimex -F auid=unset -Fuid=chrony -F subj_type=chronyd_t

"On a 64 bit platform, for the adjtimex call, when audit UID does not exist (not a login shell), and user name is chrony, and SELinux context is chronyd_t, never log."

Actually, that example may have a bug. With chronyd running under systemd, and the example rules from 30-pci-dss-v31.rules, I found audit events as uid 0.

type=SYSCALL msg=audit(1552670692.891:1067): arch=c000003e syscall=159 success=yes exit=5 a0=7ffe0d94ae10 a1=0 a2=55e857a3af60 a3=0 items=0 ppid=1 pid=6487 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key="10.4.2b-time-change"

ps reports it running as user chrony, and in the chronyd_t context. So it is confined, but auditd reflects how systemd started it as root.

Try the condition -F auid=unset -F subj_type=chronyd_t. Not from a login shell and in the correct context is good enough for me.

(This subsystem has its quirks. The only place I was able to translate auid=4294967295 to unset is the mailing list.)

Related

How do I log console output from a XEN VM?
Wordpress + nginx infinite redirect loop
LTO-8 tapes long-term storage rules
How secure is webdav? Is smb tunneling over ssh (with putty) a better solution?
Does Docker's CAP_NET_ADMIN allow a container to affect the host network, or only it's own?
How to limit number of connections per IP on Nginx?
Routing LAN traffic from Edgerouter to wg0
2nd Exchange Server 2013
Is there something like a map function in puppet?
Ubuntu 18.04 - Temporary failure resolving 'us-east-1.ec2.archive.ubuntu.com'
Wouldn't setting the DNS server to 127.0.0.1 prevent my system from actually resolving remote hosts? I found this answer
Twilight Zelda Guardian Puzzle : Shortest Path (UPDATE: ADDED RULES)