May 2007 - Linux-audit - Linux-Audit List Archives

[PATCH] audit=0 appears not to completely disable auditing

by Steve Grubb

Hi, There was a bz, 231371, reporting that current upstream kernels do not completely disable auditing when boot with audit=0 and the audit daemon not configured to run. You can reproduce the problem by: service auditd stop auditctl -e 0 auditctl -w /etc/passwd and you'd get an event in syslog: Mar 9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295 subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1 The patch below solves this problem by checking audit_enabled before creating an audit event. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c --- linux-2.6.18.x86_64.orig/kernel/audit.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/audit.c 2007-03-09 14:06:59.000000000 -0500 @@ -238,46 +238,50 @@ void audit_log_lost(const char *message) static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_rate_limit; + if (audit_enabled) { + int old = audit_rate_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_rate_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_rate_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_rate_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_rate_limit = limit; return 0; } static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid) { - int old = audit_backlog_limit; + if (audit_enabled) { + int old = audit_backlog_limit; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_backlog_limit=%d old=%d by auid=%u subj=%s", - limit, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_backlog_limit=%d old=%d by auid=%u", - limit, old, loginuid); + limit, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_backlog_limit=%d old=%d by auid=%u", + limit, old, loginuid); + } audit_backlog_limit = limit; return 0; } @@ -289,21 +293,23 @@ static int audit_set_enabled(int state, if (state != 0 && state != 1) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled || state) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_enabled=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_enabled=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_enabled=%d old=%d by auid=%u", + state, old, loginuid); + } audit_enabled = state; return 0; } @@ -317,21 +323,23 @@ static int audit_set_failure(int state, && state != AUDIT_FAIL_PANIC) return -EINVAL; - if (sid) { - char *ctx = NULL; - u32 len; - int rc; - if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) - return rc; - else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + if (audit_enabled) { + if (sid) { + char *ctx = NULL; + u32 len; + int rc; + if ((rc = selinux_ctxid_to_string(sid, &ctx, &len))) + return rc; + else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_failure=%d old=%d by auid=%u subj=%s", - state, old, loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_failure=%d old=%d by auid=%u", - state, old, loginuid); + state, old, loginuid, ctx); + kfree(ctx); + } else + audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, + "audit_failure=%d old=%d by auid=%u", + state, old, loginuid); + } audit_failure = state; return 0; } @@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b if (err < 0) return err; } if (status_get->mask & AUDIT_STATUS_PID) { - int old = audit_pid; - if (sid) { - if ((err = selinux_ctxid_to_string( - sid, &ctx, &len))) - return err; - else + if (audit_enabled) { + int old = audit_pid; + if (sid) { + if ((err = selinux_ctxid_to_string( + sid, &ctx, &len))) + return err; + else + audit_log(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE, + "audit_pid=%d old=%d by auid=%u subj=%s", + status_get->pid, old, + loginuid, ctx); + kfree(ctx); + } else audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, - "audit_pid=%d old=%d by auid=%u subj=%s", - status_get->pid, old, - loginuid, ctx); - kfree(ctx); - } else - audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE, "audit_pid=%d old=%d by auid=%u", - status_get->pid, old, loginuid); + status_get->pid, old, + loginuid); + } audit_pid = status_get->pid; } if (status_get->mask & AUDIT_STATUS_RATE_LIMIT) diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c --- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-09 14:08:18.000000000 -0500 +++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-09 14:05:54.000000000 -0500 @@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih; /* Inotify events we care about. */ #define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF +extern int audit_enabled; + void audit_free_parent(struct inotify_watch *i_watch) { struct audit_parent *parent; @@ -897,7 +899,6 @@ static void audit_update_watch(struct au struct audit_watch *owatch, *nwatch, *nextw; struct audit_krule *r, *nextr; struct audit_entry *oentry, *nentry; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) { @@ -937,13 +938,18 @@ static void audit_update_watch(struct au call_rcu(&oentry->rcu, audit_free_rule_rcu); } - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=updated rules specifying path="); - audit_log_untrustedstring(ab, owatch->path); - audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, + "op=updated rules specifying path="); + audit_log_untrustedstring(ab, owatch->path); + audit_log_format(ab, " with dev=%u ino=%lu\n", + dev, ino); + audit_log_format(ab, " list=%d res=1", r->listnr); + audit_log_end(ab); + } audit_remove_watch(owatch); goto add_watch_to_parent; /* event applies to a single watch */ } @@ -962,25 +968,28 @@ static void audit_remove_parent_watches( struct audit_watch *w, *nextw; struct audit_krule *r, *nextr; struct audit_entry *e; - struct audit_buffer *ab; mutex_lock(&audit_filter_mutex); parent->flags |= AUDIT_PARENT_INVALID; list_for_each_entry_safe(w, nextw, &parent->watches, wlist) { list_for_each_entry_safe(r, nextr, &w->rules, rlist) { e = container_of(r, struct audit_entry, rule); - - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); - audit_log_format(ab, "op=remove rule path="); - audit_log_untrustedstring(ab, w->path); - if (r->filterkey) { - audit_log_format(ab, " key="); - audit_log_untrustedstring(ab, r->filterkey); - } else - audit_log_format(ab, " key=(null)"); - audit_log_format(ab, " list=%d res=1", r->listnr); - audit_log_end(ab); - + if (audit_enabled) { + struct audit_buffer *ab; + ab = audit_log_start(NULL, GFP_KERNEL, + AUDIT_CONFIG_CHANGE); + audit_log_format(ab, "op=remove rule path="); + audit_log_untrustedstring(ab, w->path); + if (r->filterkey) { + audit_log_format(ab, " key="); + audit_log_untrustedstring(ab, + r->filterkey); + } else + audit_log_format(ab, " key=(null)"); + audit_log_format(ab, " list=%d res=1", + r->listnr); + audit_log_end(ab); + } list_del(&r->rlist); list_del_rcu(&e->list); call_rcu(&e->rcu, audit_free_rule_rcu); @@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t { struct audit_buffer *ab; + if (!audit_enabled) + return; + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) return;

17 years, 3 months

4
5
0 / 0

[PATCH] Make IPC mode consistent

by Steve Grubb

Hi, The mode fields for IPC records are not consistent. Some are hex, others are octal. This patch makes them all octal. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com> diff -urp linux-2.6.18.i686.orig/kernel/auditsc.c linux-2.6.18.i686/kernel/auditsc.c --- linux-2.6.18.i686.orig/kernel/auditsc.c 2007-05-29 10:27:13.000000000 -0400 +++ linux-2.6.18.i686/kernel/auditsc.c 2007-05-29 10:33:07.000000000 -0400 @@ -941,7 +941,7 @@ static void audit_log_exit(struct audit_ case AUDIT_IPC: { struct audit_aux_data_ipcctl *axi = (void *)aux; audit_log_format(ab, - "ouid=%u ogid=%u mode=%x", + "ouid=%u ogid=%u mode=%#o", axi->uid, axi->gid, axi->mode); if (axi->osid != 0) { char *ctx = NULL; @@ -960,7 +960,7 @@ static void audit_log_exit(struct audit_ case AUDIT_IPC_SET_PERM: { struct audit_aux_data_ipcctl *axi = (void *)aux; audit_log_format(ab, - "qbytes=%lx ouid=%u ogid=%u mode=%x", + "qbytes=%lx ouid=%u ogid=%u mode=%#o", axi->qbytes, axi->uid, axi->gid, axi->mode); break; }

17 years, 5 months

2
1
0 / 0

Re: ssh in SLES10 SP1 RC2

by Michael Folsom

Folks: Thanks! Checked and SLES10/SLED10 SP1 rc2 and rc3 are both running openssh 4.2p1-18. Looks like monitoring logouts won't happen in Suse Enterprise land till SSH get reved to a newer version! Be well, Michael On 5/25/07, Wieprecht, Karen M. <Karen.Wieprecht(a)jhuapl.edu> wrote: > Yep, based on some earlier emails I saved, I think Steve said that > ssh needs to be at version 4.3p2-13 or later to generate logout > (USER_END) audit records correctly. > > Karen Wieprecht > >

17 years, 6 months

2
3
0 / 0

Identifying writes to NFS

by Matthew Booth

I'd like to be able to reliably recognise a PATH record which refers to an NFS mount. It seems that dev=00:xx would be related to the answer. However, each mount seems to have its own value of xx, and other mounts not backed by a block device, eg /proc and /dev, also have dev=00:xx. The answer can't be related to a single system, as the solution has to be rolled out across a large estate with a variety of nfs mounts on particular servers. Any ideas? Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

17 years, 6 months

3
6
0 / 0

AUDIT_AVC_PATH problems

by Alexander Viro

Selinux folks had been complaining about the lack of AVC_PATH records when audit is disabled. I must admit my stupidity - I assumed that avc_audit() really couldn't use audit_log_d_path() because of deadlocks (== could be called with dcache_lock or vfsmount_lock held). Shouldn't have made that assumption - it never gets called that way. It _is_ called under spinlocks, but not those. Since audit_log_d_path() uses ab->gfp_mask for allocations, kmalloc() in there is not a problem. IOW, the simple fix should be sufficient: let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main record. It's trivial to do. Patch below is against the mainline, rhel5 variant is also trivial. Comments? diff --git a/include/linux/audit.h b/include/linux/audit.h index fccc6e5..f3d6e5f 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -399,7 +399,6 @@ extern int audit_bprm(struct linux_binprm *bprm); extern int audit_socketcall(int nargs, unsigned long *args); extern int audit_sockaddr(int len, void *addr); extern int __audit_fd_pair(int fd1, int fd2); -extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); extern int audit_set_macxattr(const char *name); extern int __audit_mq_open(int oflag, mode_t mode, struct mq_attr __user *u_attr); extern int __audit_mq_timedsend(mqd_t mqdes, size_t msg_len, unsigned int msg_prio, const struct timespec __user *u_abs_timeout); @@ -479,7 +478,6 @@ extern int audit_signals; #define audit_socketcall(n,a) ({ 0; }) #define audit_fd_pair(n,a) ({ 0; }) #define audit_sockaddr(len, addr) ({ 0; }) -#define audit_avc_path(dentry, mnt) ({ 0; }) #define audit_set_macxattr(n) do { ; } while (0) #define audit_mq_open(o,m,a) ({ 0; }) #define audit_mq_timedsend(d,l,p,t) ({ 0; }) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e36481e..10e0e6e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -176,12 +176,6 @@ struct audit_aux_data_fd_pair { int fd[2]; }; -struct audit_aux_data_path { - struct audit_aux_data d; - struct dentry *dentry; - struct vfsmount *mnt; -}; - struct audit_aux_data_pids { struct audit_aux_data d; pid_t target_pid[AUDIT_AUX_PIDS]; @@ -657,12 +651,6 @@ static inline void audit_free_aux(struct audit_context *context) struct audit_aux_data *aux; while ((aux = context->aux)) { - if (aux->type == AUDIT_AVC_PATH) { - struct audit_aux_data_path *axi = (void *)aux; - dput(axi->dentry); - mntput(axi->mnt); - } - context->aux = aux->next; kfree(aux); } @@ -998,11 +986,6 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts audit_log_hex(ab, axs->a, axs->len); break; } - case AUDIT_AVC_PATH: { - struct audit_aux_data_path *axi = (void *)aux; - audit_log_d_path(ab, "path=", axi->dentry, axi->mnt); - break; } - case AUDIT_FD_PAIR: { struct audit_aux_data_fd_pair *axs = (void *)aux; audit_log_format(ab, "fd0=%d fd1=%d", axs->fd[0], axs->fd[1]); @@ -1952,36 +1935,6 @@ void __audit_ptrace(struct task_struct *t) } /** - * audit_avc_path - record the granting or denial of permissions - * @dentry: dentry to record - * @mnt: mnt to record - * - * Returns 0 for success or NULL context or < 0 on error. - * - * Called from security/selinux/avc.c::avc_audit() - */ -int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt) -{ - struct audit_aux_data_path *ax; - struct audit_context *context = current->audit_context; - - if (likely(!context)) - return 0; - - ax = kmalloc(sizeof(*ax), GFP_ATOMIC); - if (!ax) - return -ENOMEM; - - ax->dentry = dget(dentry); - ax->mnt = mntget(mnt); - - ax->d.type = AUDIT_AVC_PATH; - ax->d.next = context->aux; - context->aux = (void *)ax; - return 0; -} - -/** * audit_signal_info - record signal info for shutting down audit subsystem * @sig: signal value * @t: task being signaled diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e4396a8..2f4c2bb 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -570,10 +570,12 @@ void avc_audit(u32 ssid, u32 tsid, case AVC_AUDIT_DATA_FS: if (a->u.fs.dentry) { struct dentry *dentry = a->u.fs.dentry; - if (a->u.fs.mnt) - audit_avc_path(dentry, a->u.fs.mnt); - audit_log_format(ab, " name="); - audit_log_untrustedstring(ab, dentry->d_name.name); + if (a->u.fs.mnt) { + audit_log_d_path(ab, "path=", dentry, a->u.fs.mnt); + } else { + audit_log_format(ab, " name="); + audit_log_untrustedstring(ab, dentry->d_name.name); + } inode = dentry->d_inode; } else if (a->u.fs.inode) { struct dentry *dentry; @@ -624,9 +626,8 @@ void avc_audit(u32 ssid, u32 tsid, case AF_UNIX: u = unix_sk(sk); if (u->dentry) { - audit_avc_path(u->dentry, u->mnt); - audit_log_format(ab, " name="); - audit_log_untrustedstring(ab, u->dentry->d_name.name); + audit_log_d_path(ab, "path=", + u->dentry, u->mnt); break; } if (!u->addr)

17 years, 7 months

2
1
0 / 0

Offline configuration

by Robert Evans

Hi, Now that I've got auditing to work on Fedora Core, I have a few more questions. First, the boxes I've got it working on are connected to the internet and have the latest updates. Now I need to make stuff work on boxes that are *not* connected to the internet and are built off of the base CD/DVD. I know I need the latest versions of the following packages on a system audit audit-lib glibc-kernheaders openssh openssh-server openssh-client openssh-askpass openssh-askpass-gnome Do I need the latest of audit-libs-devel kernel as well? Also, what other packages are critical to get NISPOM compliance? Even when I updated the above packages, it didn't look like failed logins on the gnome desktop were generating events. I realize this may be particular to RHEL_64, but I also figured I could just have an outdated package. I'm asking this because when I set up my audit rules on RHEL4_64 with the base auditing installed (none of the above updates). I wasn't getting any login/logout events at all, based on my initial experience with the initial Fedora configurations, I assume that I need to install updated packages. I'm not using watches right now, only syscalls, which seem to catch everything I need. It seems like Steve has put enough information in the event logs that it is possible to build a GUI that parses, combines, and then displays the event logs to the user. Each displayed event is on a single line and contains the pertinent information about the event. The only gotcha I had with FC5 was that I needed the updated openssh packages to generate the events that indicated a logout event for ssh. Bob Evans JHU/APL

17 years, 7 months

3
2
0 / 0

Re: monitoring both logins and logouts via ssh in SLES10 SP1 RC2

by Michael Folsom

Steve: Thanks for the quick response - Did a little test on a X86-64 SLES10 SP1 RC2 system - sshed into in and did see the USER_LOGIN line then got out via either an exit or logout and never see an USER_END statement. Here's the relevant lines from /var/log/audit/audit.log: type=USER_AUTH msg=audit(1180108586.633:1292): user pid=31247 uid=0 auid=4294967295 msg='PAM: authentication acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)' type=USER_ACCT msg=audit(1180108586.633:1293): user pid=31247 uid=0 auid=4294967295 msg='PAM: accounting acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X,, terminal=ssh res=success)' type=LOGIN msg=audit(1180108586.637:1294): login pid=31248 uid=0 old auid=4294967295 new auid=6122 type=USER_START msg=audit(1180108586.637:1295): user pid=31248 uid=0 auid=6122 msg='PAM: session open acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)' type=CRED_REFR msg=audit(1180108586.637:1296): user pid=31248 uid=0 auid=6122 msg='PAM: setcred acct=mwfolsom : exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)' type=USER_LOGIN msg=audit(1180108586.641:1297): user pid=31245 uid=0 auid=4294967295 msg='uid=6122: exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=/dev/pts/1 res=success) >From playing with logging in and our via different means - the gdm gui, the console, and ssh and then using grep on the log file it appears that the other two routes record both login's and logout's but ssh only records logins. Could this be an issue in Suse's implementation of audit? Thanks! Michael On 5/25/07, Steve Grubb <sgrubb(a)redhat.com> wrote: > On Thursday 24 May 2007 19:07:21 Michael Folsom wrote: > > Working with audit (ver=1.2.9) on SLES10 sp1 rc2 and wonder if it was > > possible to monitor both logins and logouts. > > Logins are denoted by a USER_LOGIN event. There should also be a USER_START > event from the same tty/pty or host, auid, and pid. This marks the beginning > of a session. You should be able to look for a corresponding USER_END to > denote the end of a session. If USER_START results indicates a failure, there > will not be a USER_END. > > > Currently my system is recording when a user logs in but not when they log > > out of a ssh session. Is this even possible? > > With a little inference, its possible. I started to put in a USER_LOGOUT > event, but I decided its redundant when it can be inferred by the session > events. > > -Steve >

17 years, 7 months

3
2
0 / 0

monitoring both logins and logouts via ssh

by Michael Folsom

Hi: Working with audit (ver=1.2.9) on SLES10 sp1 rc2 and wonder if it was possible to monitor both logins and logouts. Currently my system is recording when a user logs in but not when they log out of a ssh session. Is this even possible? Thanks - Michael

17 years, 7 months

2
1
0 / 0

AUDIT Rules

by Paul Whitney

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Can someone tell me what is the correct syntax for successfully or failing to modify a file using the chmod command? I have : - -a exit,possible -S chmod -F success=0 -F success!=0 - -a exit,possible -S fchmod -F success=0 -F success!=0 But I am not able to audit the event. As a regular user I try to change the permissions of /etc/shadow. The action fails (as expected) but does not get audited. Any suggestions is greatly appreciated. Paul Whitney Information Systems Solutions paul.whitney(a)mac.com -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBRlSQSbdVg+viRqgEAQjJTAf8CHUY4lQMv7tJrdseTqe/l2n1oFwu8GNr xrIPab5+iQtRWk4OwwOnmifz1yZRyA+tO+W0hXc7UFn5c1J8YKFooAYEiTK/DvBI oE4Aeme5QDIW4MN/quq8qOeKieMUDr2oPt3ZqVW6F9u/pF/dlUaQ5OvdSchtdfLw iYMsd2rS5xtUVa0fDYEsQqz6AAaKbpuBCa6+ksxWTnPOCjYec0jpVpT3unFLA7G3 FK34zc5nfzuGimEtPb3wGvZv32wPyDDV8aD/ghw9kBYT3Fobd4LF6ZT89MbWSlja I5HW38q8elNn6an3FjWo+UV9r47tuMteIuFUatwed47yR/58xizoEg== =yBwv -----END PGP SIGNATURE-----

17 years, 7 months

4
3
0 / 0

Auditd and Watches

by Simmons Jr,Felix

All, This is my first post to the list so...be gentle ;) Anyway, I'm trying to get some monitoring going where I plan on using auditd to monitor changes to files I deem important. Currently I have a watch on one file (called important_file), I've given a key so I can find events related to my one important file. Below is my watch: [root@XXXX-22 ~]# auditctl -l No rules AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/important_test, filterkey=test-file, perms=wa, valid=0 I've got no rules in my audit.rules (except -D and the -b 256 default). My question is this (about time eh?) even though the only rule I have in my rules is a single watch on a file, I'm getting all sorts of other events in my /var/log/audit/audit.log. A lot of it are don't care items at this phase and would only aid in growing my log files. Is there something I'm missing that can turn off the additional chatter in the logs? Below are some examples: type=USER_ACCT msg=audit(05/24/2007 08:44:27.341:8311) : user pid=5633 uid=root auid=unknown(4294967295) msg='PAM accounting: user=scrubbeduserid exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=ssh result=Success)' ---- type=LOGIN msg=audit(05/24/2007 08:44:27.368:8312) : login pid=5640 uid=root old auid=unknown(4294967295) new auid=scrubbeduserid ---- type=USER_START msg=audit(05/24/2007 08:44:27.370:8313) : user pid=5640 uid=root auid=scrubbeduserid msg='PAM session open: user=scrubbeduserid exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=ssh result=Success)' ---- type=CRED_REFR msg=audit(05/24/2007 08:44:27.373:8314) : user pid=5640 uid=root auid=scrubbeduserid msg='PAM setcred: user=scrubbeduserid exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=ssh result=Success)' ---- type=USER_LOGIN msg=audit(05/24/2007 08:44:27.382:8315) : user pid=5633 uid=root auid=unknown(4294967295) msg='uid=7532: exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=/dev/pts/1 res=success)' ---- type=USER_AUTH msg=audit(05/24/2007 08:44:37.379:8316) : user pid=5698 uid=scrubbeduserid auid=scrubbeduserid msg='PAM authentication: user=scrubbeduserid exe="/usr/local/bin/priv-escalator" (hostname=nldg-22.appl.devjones.com, addr=XXX.XXX.XXX.186, terminal=/dev/pts/1 result=Success)' ---- type=USER_ACCT msg=audit(05/24/2007 08:44:37.384:8317) : user pid=5698 uid=scrubbeduserid auid=scrubbeduserid msg='PAM accounting: user=scrubbeduserid exe="/usr/local/bin/priv-escalator" (hostname=nldg-22.appl.devjones.com, addr=XXX.XXX.XXX.186, terminal=/dev/pts/1 result=Success)' ---- type=USER_AUTH msg=audit(05/24/2007 08:44:41.884:8318) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM authentication: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)' ---- type=USER_ACCT msg=audit(05/24/2007 08:44:41.889:8319) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM accounting: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)' ---- type=USER_START msg=audit(05/24/2007 08:44:41.890:8320) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM session open: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)' ---- type=CRED_ACQ msg=audit(05/24/2007 08:44:41.890:8321) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM setcred: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)' Basically I'm trying to chunk the logs down so my host based ids can snag the events and alert accordingly. I'm pretty new to linux auditd and I'm coming from the Solaris BSM Audit school of thought. Steve if you're reading this, thanks for your time and effort keeping linux auditd going. -Felix

17 years, 7 months

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit May 2007