Re: audisp-prelude problems
by Loredan Stancu
Thanks a lot Steve, now it works. It was because pam was not compiled with
audit support. Now events are generated when a user is logged from a
console, terminal or when using ssh.
Now I'll have to user audisp-remote plugin to centralize events.
> On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
>> I recompiled sshd with support for pam on the gentoo machine and the
>> following event is logged when using "UsePAM yes" in sshd_config file:
>>
>> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
>> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
>
> This is from the kernel when pam_loginuid sets the loginuid. Its very
> important for all entry point daemons to set this (login, remote, gdm,
> sshd,
> kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit
> events.
> I believe that recent pam versions (0.9 or higher) automatically use
> libaudit
> if its present when compiling. You might double check what ./configure
> --help
> shows on your distro.
>
>
>> And also on fedora machine events are generated when a user is logging
>> in
>> local or using a terminal or a console. On gentoo machine no events are
>> generated when a user is logged in from a terminal or console.
>
> There is a fair amount of enabling audit all over the place. I guess this
> is a
> disadvantage for a do it yourself distribution. There's things in pam, and
> probably 10-15 packages that are audit aware.
>
>
>> What is happen on fedora is ok and I also want this happen on gentoo.
>> Have
>> you any idea why not the same events are generated on gentoo like is
>> generated in fedora?
>
> I suspect that you needed libaudit built and installed early in the
> process of
> building Gentoo if you compiled it yourself. If you didn't build it, then
> they
> must not place a high priority on this security feature. I don't follow
> the
> Gentoo distribution, so what I just said could be all wrong. But I think
> if
> libaudit is missing early in the build process, lots of things won't find
> it
> and disable audit support.
>
>
>> Has Fedora something which may not have or may not be included?
>
> We send everything upstream so that everyone can benefit. Even that patch
> for
> sshd I referred you to was sent upstream, but they have not accepted it.
>
> -Steve
>
15 years, 11 months
Re: audisp-prelude problems
by Loredan Stancu
I just installed Fedora Core 10 on VmWare machine and
auditd/audisp-prelude seams to work fine.
I recompiled sshd with support for pam on the gentoo machine and the
following event is logged when using "UsePAM yes" in sshd_config file:
node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
This is the only event which was generated when a user is logged in using
ssh.
On fedora machine more events are generate when a user is logged in using
ssh:
node=127.0.0.1 type=USER_LOGIN msg=audit(1228402657.814:16): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="darkone":
exe="/usr/sbin/sshd" (hostname=?, addr=172.16.53.1, terminal=sshd
res=failed)'
node=127.0.0.1 type=USER_AUTH msg=audit(1228402662.417:17): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_ACCT msg=audit(1228402662.425:18): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.428:19): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=LOGIN msg=audit(1228402662.430:20): login pid=2735
uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=4
node=127.0.0.1 type=USER_START msg=audit(1228402662.430:21): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.432:22): user pid=2740
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:setcred acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_LOGIN msg=audit(1228402662.435:23): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='uid=500: exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=/dev/pts/2 res=success)'
And also on fedora machine events are generated when a user is logging in
local or using a terminal or a console. On gentoo machine no events are
generated when a user is logged in from a terminal or console.
Pam configuration on gentoo:
# cat /etc/pam.d/sshd
auth required pam_tally.so file=/var/log/faillog onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally.so file=/var/log/faillog onerr=succeed
password include system-auth
session required pam_loginuid.so
session optional pam_console.so
session required pam_env.so
session optional pam_lastlog.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
PAM configuration on Fedora machine:
# cat /etc/pam.d/sshd
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
# cat /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
What is happen on fedora is ok and I also want this happen on gentoo. Have
you any idea why not the same events are generated on gentoo like is
generated in fedora? I have to add something else to pam on gentoo? Has
Fedora something which may not have or may not be included?
> On Wednesday 03 December 2008 12:58:24 you wrote:
>> Another question: Can auditd generate events when a user is logging in
>> using ssh? That implies ssh use pam?
>
> There are 2 sets of events being sent, auth/acct/session open/close are
> from
> pam. But cron sends the same events. So, sshd itself sends another event
> USER_LOGIN that is to signify that the pam events are associated with a
> login
> and what the final result were.
>
>
>> I ask this because I want use audit in a production server and I'm not
>> allowed to manually install packages. I am allowed to only use emerge to
>> install packages. At this moment I do not have a USE flag(gentoo
>> specific)
>> corresponding to --with-linux-audit.
>
> I guess Gentoo is unpatched. Things will not work right without that last
> patch. All analysis software is predicated on seeing that event.
>
>
>> @Steve :) : Can you help me please with audisp-remote? I'll explain
>> again
>> what I want to do:
>> Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
>> M3 is a centralized machine events. On M1 and M2 runs auditd and
>> audisp-remote.
>> audisp-remote sends events to M3. I know how to configure auditd and
>> audisp-remote on M1 and M3. What I don't know is what should I do on M3
>> so
>> that it can receive events from M1 and M2 and store this events in
>> regular
>> file.
>
> You only have to set its tcp_listen_port to the same one that M1 & M2 are
> trying to connect on, update tcp_wrappers hosts.allow file to allow M1 &
> M2 to
> connect, then if you have selinux, you need to tell it what port you are
> using, and you also need to punch a hole in your firewall for that port.
>
>
>> > And you are able to load and list the 2 rules I sent above? Can you
>> find
>> > the results with ausearch --start today -k mkexe -m SYSCALL ?
>>
>> Yes, I could load that rules and this is what si loaded when a file gets
>> eecution rights:
>
> This looks fine. It should be working for you, then.
>
> -Steve
>
15 years, 11 months
Re: audisp-prelude problems
by Loredan Stancu
> On Wednesday 03 December 2008 09:57:48 Loredan Stancu wrote:
>> >> 1. audisp-prelude plugin is not generating events when a user is
>> logged
>> >> in.
>> >
>> > Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN
>> > Without that, you won't see anything.
>>
>> This is the problem that no USER_LOGIN appears in the log file. No
>> events
>> are generated when a user is logged in.
>
> You likely need to compile openssh with a "--with-linux-audit" option to
> the
> configure line. If your distribution does not have the openssh audit
> patch, you
> can find it here:
>
> http://cvs.fedora.redhat.com/viewvc/devel/openssh/openssh-4.7p1-
> audit.patch?revision=1.1
Another question: Can auditd generate events when a user is logging in
using ssh? That implies ssh use pam? I ask this because I want use audit
in a production server and I'm not allowed to manually install packages. I
am allowed to only use emerge to install packages. At this moment I do not
have a USE flag(gentoo specific) corresponding to --with-linux-audit.
@Steve :) : Can you help me please with audisp-remote? I'll explain again
what I want to do:
Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
M3 is a centralized machine events. On M1 and M2 runs auditd and
audisp-remote.
audisp-remote sends events to M3. I know how to configure auditd and
audisp-remote on M1 and M3. What I don't know is what should I do on M3 so
that it can receive events from M1 and M2 and store this events in regular
file.
After this is clarified I'll see haw should I do to separate events based
on the node machine(M1 and M2).
>
>> >> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager
>> >
>> > For which event? The loginuid is mostly what I concentrated on since
>> that
>> > tells you how they got into the machine.
>>
>> For any events. I am using prelude-manager and prewikka and I can't see
>> any uid or gid of any events.
>
> I'll check what I'm collecting. But I'm sure that loginuid should be there
> whenever its relevant.
>
>
>> >> 3. No events are generate for watched files/exec/mk_exe if no tow -k
>> >> options are specified in the rule. One of the -k options should
>> contain
>> >> '-k ids-type-severity' and another -k may contain anything. If you
>> >> specify
>> >> only one -k options no events are generated.
>> >
>> > You need 2 rules to cover this:
>> >
>> > auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F
>> > filetype=file
>> > -k ids-mkexe-hi
>> > auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111'
>> > -F filetype=file -k ids-mkexe-hi
>> >
>> > It works fine on my system. Also note that it depends on having a
>> recent
>> > kernel.
>>
>> On Gentoo linux I'm using kernel version 2.6.26-gentoo-r3 and on Debian
>> system I'm using kernel version 2.6.26-1-686
>> In both kernels I have support for audit and inotify.
>
> And you are able to load and list the 2 rules I sent above? Can you find
> the
> results with ausearch --start today -k mkexe -m SYSCALL ? You might also
> strace the app that's making executables that you are trying to catch to
> make
> sure you have a rule that will catch it.
Yes, I could load that rules and this is what si loaded when a file gets
eecution rights:
type=SYSCALL msg=audit(1228324240.067:14): arch=40000003 syscall=306
success=yes exit=0 a0=ffffff9c a1=80550b8 a2=1ed a3=80550b8 items=1
ppid=7828 pid=16847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chmod"
exe="/bin/chmod" key="ids-mkexe-hi"
type=CWD msg=audit(1228324240.067:14): cwd="/usr/local/audit"
type=PATH msg=audit(1228324240.067:14): item=0
name="/home/darkone/testfile" inode=65247 dev=08:03 mode=0100644 ouid=1000
ogid=1000 rdev=00:00
>> >> Another question is how I can use audisp-remote to send events
>> somewhere
>> >> remote?
>
> I think I answered this in the other email, but to be clear, the
> audisp-remote
> plugin wants to talk to a remove audit daemon. So the chain of custody for
> an
> event looks like:
>
> kernel->auditd->audispd->audisp-remote->auditd->file
>
> -Steve
>
15 years, 11 months
Re: audisp-prelude problems
by Loredan Stancu
> On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
>
>>
>> I know how to activate the audisp-plugin, what I asked is how can I use
>> it.
>>
>> What I need is an example of an application which can stay on the remote
>> host, listen for incoming events send by audisp-remote plugin and store
>> these events in a regular file.
>
> OK.
> That's what the auditd does if the remote host is also SElinux.
>
> So - next questions:
>
> * Is the remote host not a SElinux machine? You'd need to emulate the
> protocol on the receive side.
>
> * If it is a SElinux machine (F9/F10/other?), do you want the
> originating events in a different place than the default? Like separated
> by sending host instead of lumped together with the other audit?
>
> If the latter is the case, there are ways of doing this now depending on
> your intent.
Supposing the remote system is an SElinux machine (a machine which stores
all the user activity send by audisp-remote plugins. There are more then
one machine for which I want to store events) what should I do on this
machine to keep separate file events for each machine
> Also this is an area Steve has discussed may be open for modification.
> The auditd on the aggregating side may be able to separate data based on
> other criteria per user feedback.
>
> LCB.
>
> --
> LC (Lenny) Bruzenak
> lenny(a)magitekltd.com
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
15 years, 11 months
Re: audisp-prelude problems
by LC Bruzenak
On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
>
> I know how to activate the audisp-plugin, what I asked is how can I use it.
>
> What I need is an example of an application which can stay on the remote
> host, listen for incoming events send by audisp-remote plugin and store
> these events in a regular file.
OK.
That's what the auditd does if the remote host is also SElinux.
So - next questions:
* Is the remote host not a SElinux machine? You'd need to emulate the
protocol on the receive side.
* If it is a SElinux machine (F9/F10/other?), do you want the
originating events in a different place than the default? Like separated
by sending host instead of lumped together with the other audit?
If the latter is the case, there are ways of doing this now depending on
your intent.
Also this is an area Steve has discussed may be open for modification.
The auditd on the aggregating side may be able to separate data based on
other criteria per user feedback.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
15 years, 11 months
Re: audisp-prelude problems
by Loredan Stancu
>
> On Wed, 2008-12-03 at 08:46 -0500, Steve Grubb wrote:
>>
>> > Another question is how I can use audisp-remote to send events
>> somewhere
>> > remote?
>>
>> Assuming you are using Fedora, to set this up on client machines, you
>> will need to install the audispd-plugins package. Then you need to set
>> the remote_server and port in the /etc/audisp/audisp-remote.conf
>> file.
>
> (trivial) also set:
> active = yes
> in /etc/audisp/plugins.d/au-remote.conf
>
> and see "TIPS" in audisp-remote(8) man page
I know how to activate the audisp-plugin, what I asked is how can I use it.
What I need is an example of an application which can stay on the remote
host, listen for incoming events send by audisp-remote plugin and store
these events in a regular file.
,
Loredan
15 years, 11 months
audisp-prelude problems
by Loredan Stancu
Hi,
I'm testing version 1.7.9 of audit using audisp-prelude plugin and I have
some problems:
1. audisp-prelude plugin is not generating events when a user is logged in.
2. audisp-prelude plugin is not sending uid, gid to a prelude-manager
3. No events are generate for watched files/exec/mk_exe if no tow -k
options are specified in the rule. One of the -k options should contain
'-k ids-type-severity' and another -k may contain anything. If you specify
only one -k options no events are generated.
Another question is how I can use audisp-remote to send events somewhere
remote?
Thx,
Loredan Stancu
15 years, 11 months