Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moved binaries in Almalinux 9 #98

Open
novaksam opened this issue Jul 10, 2023 · 8 comments
Open

Moved binaries in Almalinux 9 #98

novaksam opened this issue Jul 10, 2023 · 8 comments

Comments

@novaksam
Copy link

Hi there,

Just observing that some binaries in the Alma base install are in different locations, specifically binaries there were normally in /bin and /sbin are now in /usr/bin and /usr/sbin/

These are the ones I found:

sed -i'' 's/\/opt\/filebeat/\/usr\/bin\/filebeat/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/auditctl/\ \/usr\/sbin\/auditctl/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\=\/sbin\/insmod/\=\/usr\/sbin\/insmod/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\=\/sbin\/modprobe/\=\/usr\/sbin\/modprobe/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\=\/sbin\/rmmod/\=\/usr\/sbin\/rmmod/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/su/\ \/usr\/bin\/su/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/shutdown/\ \/usr\/sbin\/shutdown/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/poweroff/\ \/usr\/sbin\/poweroff/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/reboot/\ \/usr\/sbin\/reboot/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/halt/\ \/usr\/sbin\/halt/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/hostname/\ \/usr\/bin\/hostname/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/uname/\ \/usr\/bin\/uname/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/bin\/nc/\ \/usr\/bin\/nc/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/iptables/\ \/usr\/sbin\/iptables/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/ip6tables/\ \/usr\/sbin\/ip6tables/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/ifconfig/\ \/usr\/sbin\/ifconfig/g' /etc/auditbeat/audit.rules.d/audit.rules
sed -i'' 's/\ \/sbin\/xtables-nft-multi/\ \/usr\/sbin\/xtables-nft-multi/g' /etc/auditbeat/audit.rules.d/audit.rules

Perhaps it's worthwhile to additionally add /usr entries for every binary line, unless of course this doesn't matter for auditd, I admittedly am not an expert on the topic.
@novaksam
Copy link
Author

Maybe nevermind? Seems like it's mostly symbolic linking, unless the link selected matters for auditd

for E in $(grep '/bin/\|/sbin/' ./audit.rules | grep -o '\/.*/[[:alnum:]]*');  do                                    
if [ ! -e $E ] && [ -e /usr$E ]; then echo "Diff $E"; fi
if [ -e $E ] && [ ! -e /usr$E ]; then echo "Norm $E"; fi
if [ ! -e $E ] && [ ! -e /usr$E ]; then echo "Nope $E"; fi
if [ -e $E ] && [ -e /usr$E ]; then echo "Both $E"; fi; 
done

@kovacs-andras
Copy link
Contributor

fyi https://www.freedesktop.org/wiki/Software/systemd/TheCaseForTheUsrMerge/

@kovacs-andras
Copy link
Contributor

I forgot the point, it really doesn't matter for auditd but I still agree with you.

@Pierre-Gronau-ndaal
Copy link
Contributor

maybe we consider an old system and if we change that with sed (good solution!) then we do not cover anymore old systems... maybe I´m wrong

@novaksam
Copy link
Author

novaksam commented Jul 14, 2023 via email

@kovacs-andras
Copy link
Contributor

Why not do both? Although not easy to do with sed, doing by hand is an option Sam Novak - CISSPhttps://www.credly.com/badges/71ca4350-a4f8-4adc-8792-327e9159e4f7/public_url Information Security Office – Information Security Office

________________________________ From: Pierre-Gronau-ndaal @.> Sent: Thursday, July 13, 2023 7:25:48 PM To: Neo23x0/auditd @.> Cc: Novak, Sam @.>; Author @.> Subject: Re: [Neo23x0/auditd] Moved binaries in Almalinux 9 (Issue #98) This message came from an EXTERNAL source. DO NOT reply or follow links unless this message is trustworthy. maybe we consider an old system and if we change that with sed (good solution!) then we do not cover anymore old systems... maybe I´m wrong — Reply to this email directly, view it on GitHub<#98 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA2KIXCZ7RJNQMJBTASQ2Y3XQCGYZANCNFSM6AAAAAA2EUE7UU. You are receiving this because you authored the thread.Message ID: @.***>

Because it doesn't matter.

@Pierre-Gronau-ndaal
Copy link
Contributor

I´m fine doing both

@kovacs-andras
Copy link
Contributor

I´m fine doing both

As I know auditd operates at the inode level and does not directly support the monitoring of symbolic links.

But let's take a look on hard links with the binary su on any RHEL.
There are 2 hard links pointing to the same file so make two rules as you recommended:

-w /bin/su -p x -k rule_1
-w /usr/bin/su -p x -k rule_2

They are hard links with the same inode number, always rule_1 will match first, whatever you do, rule_2 will never be triggered.

So multiple watch rules for the same inode don't make sense and watch rules for symlinks don't make sense at all.
Pointless rules won't make the systems faster, neither the config more readable. Please, test it and correct me if I'm wrong!

@novaksam offtopic but AlmaLinux "no longer be held to the line of “bug-for-bug compatibility” with Red Hat" https://almalinux.org/blog/future-of-almalinux/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@novaksam @kovacs-andras @Pierre-Gronau-ndaal