January 2008 - Linux-audit - Linux-Audit List Archives

by Brennan, William C

Okay, I'm a newbie, so excuse this question if the answer seems obvious. I've looked at auditctl to see how it can help us audit several different conditions, but I can't figure out how to do the following: How do I configure parameters for auditctl to make an audit record every time a file is executed? William C. Brennan Cube 4929, M1225 Lockheed Martin Valley Forge, PA 610-354-6960

18 years

3
4
0 / 0

audit 1.6.6 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Add prelude IDS plugin for IDMEF alerts - Add --user option to aulastlog command - Spec file cleanups This release adds an audispd plugin that watches for certain audit events in real-time and sends an IDMEF alert when it sees something notable. I will publish a HOWTO in a couple days to show how to go about setting up prelude and registering this plugin. The events it is currently able to send are: logins, max falied logins, max concurrent sessions, SE Linux AVCs, and apps that abnormally terminate. I'll add more in the future. To build this plugin, you need to add a --with-prelude to the configure command. Please let me know if you run across any problems with this release. -Steve

18 years, 1 month

1
0
0 / 0

Problem with ausearch_set_param

by Mukul Khullar

I am trying to use ausearch_set_param, but the same when used along with proper arguments, doesn't compile and gives an undefined reference. Is there some particular library which is to be included to use ausearch_set_param ? Eg code : ausearch_set_param(au, "auid", "=", "500", AUSEARCH_STOP_EVENT)) Error is : /tmp/cciCPMs9.o: In function `main': parselib.c:(.text+0x61): undefined reference to `ausearch_set_param' collect2: ld returned 1 exit status Please help, Thanking you, Mukul Khullar

18 years, 1 month

2
1
0 / 0

Auparse using Buffer.......

by kunal chandarana

#include<stdio.h> #include<unistd.h> #include<auparse.h> #include<stdlib.h> #include "libaudit.h" #include<unistd.h> #include<fcntl.h> #include<time.h> int main(void) { char *data; int i=0; data="type=USER_ACCT msg=audit(1200638450.722:15): user pid=2156 uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023msg='op=PAM:accounting acct=root exe=\"/usr/sbin/gdm-binary\" (hostname=?, addr=?, terminal=:0 res=success)'\0"; auparse_state_t *au = auparse_init(AUSOURCE_BUFFER,data); if (au == NULL) { printf("hi eroror \n"); exit(1); } //ADDING RULES if (!ausearch_add_item(au, "a0", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "a1", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "a2", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "a3", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "a4", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "acct", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "addr", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "arch", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "audit_backlog_limit", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "audit_enabled", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "audit_failure", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "auid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "comm", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "cwd", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "dev", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "egid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "euid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "exe", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "exit", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "file", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "flags", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "format", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "fsgid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "fsuid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "gid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "hostname", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "id", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "inode", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "inode_gid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "inode_uid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "item", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "items", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "list", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "mode", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "msg", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "nargs", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "name", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "obj", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "ogid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "old", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "old_prom", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "op", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "ouid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "parent", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "path", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "perm", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "perm_mask", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "pid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "prom", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "qbytes", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "range", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "rdev", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "res", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "result", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "role", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "saddr", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "sauid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "scontext", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "seuser", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "sgid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "spid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "subj", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "success", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "suid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "syscall", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "tclass", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "tcontext", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "terminal", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "tty", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "type", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "uid", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "user", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "ver", "!=", "NULL", AUSEARCH_RULE_OR)) {} if (!ausearch_add_item(au, "watch", "!=", "NULL", AUSEARCH_RULE_OR)) {} auparse_next_event(au); if (auparse_find_field(au, "auid")) { printf("auid=%s\n", auparse_get_field_str(au)); } if (auparse_find_field(au, "hostname")) { printf("hostname=%s\n", auparse_get_field_str(au)); } auparse_destroy(au); return 0; } Same code tried with file pointer is working properly that is auparse_init(AUSOURCE_FILE_POINTER, <<File Pointer>>). But when tried with buffer is neither giving output nor error. auparse_init(AUSOURCE_BUFFER, <<buffer address>>).

18 years, 1 month

2
1
0 / 0

Database Support

by Mukul Khullar

I am trying to add DB support to Audit. What kind of DB support is expected & would be most useful. Should it be on the basis of 1.) Ranges of netlink messages , ie. * * 000 - 1099 are for commanding the audit system* * * 1100 - 1199 user space trusted application messages* * * 1200 - 1299 messages internal to the audit daemon* <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L34>* * 1300 - 1399 audit event messages* * * 1400 - 1499 SE Linux use* <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L36>* * 1500 - 1599 kernel LSPP events* <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L37>* * 1600 - 1699 kernel crypto events* <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L38>* * 1700 - 1799 kernel anomaly records* <http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L39>* * 1800 - 1999 future kernel use (maybe integrity labels and related events)* nd etc , or 2.) The tables should be based on each type of record coming in the logs(which would be a daunting task). Is there any other way i can use the audit logs, and do some classification of the records in an efficient manner in the database as tables? What should be the classification factor for the tables in the DB? Please reply , Thanking You, Mukul Khullar.

18 years, 1 month

1
0
0 / 0

Auparse library event...............

by kunal chandarana

+#include <stdio.h> +#include "auparse.h" +#include <stdlib.h> +#include <malloc.h> int main() { auparse_state_t *au; au = auparse_init(AUSOURCE_LOGS, NULL); if (au == NULL) exit(1); if (!ausearch_set_param(au, "auid", "=", "500", AUSEARCH_STOP_EVENT)) exit(1); while (ausearch_next_event(au)) { if (auparse_find_field(au, "auid")) { printf("auid=%s\n", auparse_interpret_field(au)); } } auparse_destroy(au); } I tried the above program for but after compilation its giving following linking error. /tmp/ccMo3ClJ.o: In function `main': parselib.c:(.text+0x21): undefined reference to `auparse_init' parselib.c:(.text+0x61): undefined reference to `ausearch_set_param' parselib.c:(.text+0x84): undefined reference to `auparse_find_field' parselib.c:(.text+0x93): undefined reference to `auparse_interpret_field' parselib.c:(.text+0xae): undefined reference to `ausearch_next_event' parselib.c:(.text+0xbd): undefined reference to `auparse_destroy' collect2: ld returned 1 exit status Do help.......

18 years, 1 month

2
2
0 / 0

PATH field questions

by Matthew Booth

Sorry for not batching these. There shouldn't be any more in the immediate future :) In PATH can anybody point me to: The meaning of the first 3 characters of the mode field. The meaning of rdev. Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

18 years, 1 month

2
1
0 / 0

Re: Linux-audit Digest, Vol 40, Issue 9

by kunal chandarana

In audit logs fields are generated for specific type. Each log has different type and depending on type there are different fields shown in audit.logfiles. Is there a way to map this audit type to the fields. Like if i have type=XYZ then log will contain n fields. So how to find these N fields.?

18 years, 1 month

3
2
0 / 0

Meaning of SYSCALL fields

by Matthew Booth

I'm documenting the fields of certain auditd messages for RHEL 4. Amongst the SYSCALL fields are the following uid/gid related fields. uid (obvious) gid (obvious) euid (obvious) suid - what's this? fsuid - what's this? egid (obvious) sgid - what's this? fsgid - what's this? Can anybody fill in the blanks for me? Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

18 years, 1 month

2
2
0 / 0

difficulty with TYPE

by Abhishek Gupta

i tried to run auditdispatcher from http://people.redhat.com/sgrubb/audit/audit-rt-events.txt with little modification. i converted TYPE numeric value to name using audit library function "audit_msg_type_to_name". Then i printed audit TYPE number with corresponding name using above function. The program is running fine but i have little doubt. i restarted audit daemon i changed login to some other user and back to root. to generate records as USER_LOGIN,USER_AUTH,etc and looked to syslog where i have printed messages from program. I got this output : type=1305 typename=CONFIG_CHANGE, payload size=110 type=539770685 typename=(null), payload size=1836213620 type=1836213620 typename=(null), payload size=1818324585 type=1702109228 typename=(null), payload size=1852403058 first one is ok but look at the rest lines. so what does type=539770685means? how does this numeric values maps to USER_AUTH,USER_ACCT,etc why typename coming out to be null? Please help. here is the code: ---------------------------------------------------------------------------------------------------------------------------------------- //change mode of binary version of this file as "chmod 0750 skeleton" very very important //switch off selinux by command "setenforce 0" or use GUI application //data from audit daemon is "header+msg" //header has field like type,etc which is an integer,map that type number with macros defined in linuxaudit.h //msg contains various fields specific to the type number //note down important security specific type number and create table for each type with fields that type contains #include <stdio.h> #include <sys/types.h> #include <sys/uio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <fcntl.h> #include <errno.h> #include <string.h> #include <locale.h> #include "libaudit.h" // Local data static volatile int signaled = 0; static int pipe_fd; static const char *pgm = "skeleton"; // Local functions static int event_loop(void); // SIGTERM handler static void term_handler( int sig ) { signaled = 1; } /* * main is started by auditd. See dispatcher in auditd.conf */ int main(int argc, char *argv[]) { struct sigaction sa; setlocale (LC_ALL, ""); openlog(pgm, LOG_PID, LOG_DAEMON); syslog(LOG_NOTICE, "starting ABHISHEK..."); #ifndef DEBUG // Make sure we are root if (getuid() != 0) { syslog(LOG_ERR, "You must be root to run this program."); return 4; } #endif // register sighandlers sa.sa_flags = 0 ; sa.sa_handler = term_handler; sigemptyset( &sa.sa_mask ) ; sigaction( SIGTERM, &sa, NULL ); sa.sa_handler = term_handler; sigemptyset( &sa.sa_mask ) ; sigaction( SIGCHLD, &sa, NULL ); sa.sa_handler = SIG_IGN; sigaction( SIGHUP, &sa, NULL ); (void)chdir("/"); // change over to pipe_fd pipe_fd = dup(0); close(0); open("/dev/null", O_RDONLY); fcntl(pipe_fd, F_SETFD, FD_CLOEXEC); // Start the program return event_loop(); } static int event_loop(void) { void* data; int i=0; struct iovec vec[2]; struct audit_dispatcher_header hdr; + const char *typename; int res; // allocate data structures data = malloc(MAX_AUDIT_MESSAGE_LENGTH); if (data == NULL) { syslog(LOG_ERR, "Cannot allocate buffer"); return 1; } memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH); memset(&hdr, 0, sizeof(hdr)); do { int rc; struct timeval tv; fd_set fd; tv.tv_sec = 1; tv.tv_usec = 0; FD_ZERO(&fd); FD_SET(pipe_fd, &fd); rc = select(pipe_fd+1, &fd, NULL, NULL, &tv); if (rc == 0) continue; else if (rc == -1) break; /* Get header first. it is fixed size */ vec[0].iov_base = (void*)&hdr; vec[0].iov_len = sizeof(hdr); // Next payload vec[1].iov_base = data; vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH; rc = readv(pipe_fd, vec, 2); if (rc == 0 || rc == -1) { syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno)); break; } // handle events here. Just for illustration, we print // to syslog, but you will want to do something else. + typename=audit_msg_type_to_name(hdr.type); + syslog(LOG_NOTICE,"type=%d typename=%s, payload size=%d",hdr.type ,typename,hdr.size); //syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,(char *)data); } while(!signaled); return 0; } ------------------------------------------------------------------------------------------------------------------------------------------

18 years, 1 month

4
6
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit January 2008