May 2008 - Linux-audit - Linux-Audit List Archives

by Miloslav Trmač

Hello, audit-viewer is now available in Fedora 9. It is a GUI for viewing audit logs and running simple reports on them, intended as an ueasy to use alternative to ausearch and aureport. To see what audit-viewer can do, please read https://fedorahosted.org/audit-viewer/wiki/AuditViewerTour . The program is still under development, more features (graphs in particular) and more polish is planned. I'll be grateful for any feedback (what works well, what doesn't work, what is difficult to do or unintuitive). To install audit-viewer on Fedora, run (yum install audit-viewer). Then you'll find it in the System/Administration menu as "Audit Logs". To build audit-viewer on other distributions, you'll need the source code available at https://fedorahosted.org/audit-viewer/ . audit-viewer depends on python-gtkextra, and the last release of python-gtkextra doesn't build on recent systems. You may find the patch at http://cvs.fedora.redhat.com/viewcvs/devel/python-gtkextra/ useful. Mirek

16 years, 6 months

2
4
0 / 0

ausearch notes

by LC Bruzenak

audit-1.7.4-1.fc9.x86_64 The "-i" flag on ausearch appears to remove the "node=" info when the type!=UNKNOWN: [root@hugo sbin]# ausearch -ts today | grep -i welcome ... node=hugo type=UNKNOWN[2800] msg=audit(1212175003.754:11074): user pid=20597 uid=0 auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c1023 msg='*C* 5/30 19:16:43 comms 20836 audit test: Welcome to audit test LCB3 : exe="/opt/jcdx/sbin/SecureSyslog" (hostname=comms, addr=192.168.31.60, terminal=? res=failed)' node=hugo type=TRUSTED_APP msg=audit(1212175342.808:11387): user pid=21612 uid=0 auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c1023 msg='*C* 5/30 19:22:22 comms 21615 audit test: Welcome to audit test LCB3 : exe="/opt/jcdx/sbin/SecureSyslog" (hostname=comms, addr=192.168.31.60, terminal=? res=failed)' ... [root@hugo sbin]# ausearch -i -ts today | grep -i welcome ... node=hugo type=UNKNOWN[2800] msg=audit(05/30/2008 14:16:43.754:11074) : user pid=20597 uid=root auid=root subj=root:staff_r:staff_t:s0-s15:c0.c1023 msg='*C* 5/30 19:16:43 comms 20836 audit test: Welcome to audit test LCB3 : exe=/opt/jcdx/sbin/SecureSyslog (hostname=comms, addr=192.168.31.60, terminal=? res=failed)' type=TRUSTED_APP msg=audit(05/30/2008 14:22:22.808:11387) : user pid=21612 uid=root auid=root subj=root:staff_r:staff_t:s0-s15:c0.c1023 msg='*C* 5/30 19:22:22 comms 21615 audit test: Welcome to audit test LCB3 : exe=/opt/jcdx/sbin/SecureSyslog (hostname=comms, addr=192.168.31.60, terminal=? res=failed)' ... -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

16 years, 6 months

2
1
0 / 0

ausearch from cron

by Kurt S Harris

When I run an ausearch from a cron in RedHat 5.1 I don't get any output, running the same command from the command line I get results. Any ideas on what I'm missing? output: <no matches> May 29 09:36:01 magenta last message repeated 3 times May 29 09:36:01 magenta logger: AuditSearch: -ts 09:35:00 -te 09:36:00 May 29 09:36:01 magenta logger: crontab: * * * * 1-5 /usr/sbin/logaudit >> /var/log/messages 2>>/var/log/messages logaudit: #!/bin/bash logaudit(){ ctime=$(/bin/date '+%T') min=$(echo ${ctime}|cut -f2 -d:) if [ "${min}" = "00" ];then Args=$(echo ${ctime} | /bin/awk -F : '{print "-ts "$1 -1 ":59:00 -te "$1":"$2":00"}') else Args=$(echo ${ctime} | /bin/awk -F : '{print "-ts "$1":" $2 - 1 ":00 -te "$1":"$2":00"}') fi echo -e "\nAuditSearch:" $Args /sbin/ausearch ${Args} -i >> /var/log/messages 2>>/var/log/messages echo -e "\n\n" } logaudit | /usr/bin/logger -p auth.alert

16 years, 7 months

2
1
0 / 0

aureport summary

by LC Bruzenak

Here is my report: [root@hugo audit]# aureport --summary Summary Report ====================== Range of time in logs: 05/27/2008 12:04:31.669 - 05/28/2008 18:14:56.100 Selected time for report: 05/27/2008 12:04:31 - 05/28/2008 18:14:56.100 Number of changes in configuration: 174 Number of changes to accounts, groups, or roles: 0 Number of logins: 5 Number of failed logins: 1 Number of authentications: 25 Number of failed authentications: 1 Number of users: 2 Number of terminals: 16 Number of host names: 8 Number of executables: 114 Number of files: 19536 Number of AVC's: 1007 Number of MAC events: 25 Number of failed syscalls: 1283 Number of anomaly events: 107 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of keys: 14 Number of process IDs: 1473 Number of events: 37218 IIUC the last line - number of events - should be the sum of all the previous. However, adding up the events (barring OE) before that comes to 23791. I guess there are overlaps too - for example, the keys are possibly also in syscall events? Are some events missing on purpose? Thx, LCB. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

16 years, 7 months

2
1
0 / 0

Using the audit system for non-security events

by Eric Paris

The userspace group is attempting to write new applications which will dynamically profile system startup and preload applications and data so that they are hot in the kernel when they are needed. http://fedoraproject.org/wiki/Features/30SecondStartup/ReadAheadReloaded They need to see all of the exec and open calls from the system so they can profile what is needed. They discovered that the audit system does exactly what they need except one problem. It writes all of the exec and open call records to disk which very quickly gets too large. All they want is a way to tell the audit system to send a message to the audit dispatcher but not to log to disk. This isn't so easy as it means that audit has to somehow parse the messages rather than just quickly write them. Since the plan is to always have the audit system always emit these rules on all non-server type systems it really isn't reasonable to have them written to disk. We suggested they look at system-tap, which was able to give them the information, but it meant compiling a kernel module for every kernel and had all sorts of maintenance nightmares (from what I'm told) so they came back to me. What I'm considering is a new 'flag' which audit rules can be loaded with which indicates to use the new 'no-log' netlink socket. The kernel would then have 2 netlink sockets. One will continue to talk to auditd the other straight to a dispatcher. No changes will be made in any way to the way we handle messages or panic on message loss to the 'normal' audit queue. I'm thinking the second netlink socket will be a 'best effort' audit system. Messages may be dropped without indication it should run at a lower priority, blah blah blah. It would allow the very flexible and powerful audit system to be used for profiling and data collection for non-security relevant applications. I want thoughts on such a proposal. Obviously I'm going to ahve to put some real thought/care into how to handle 'overlapping' rules between security and non-security and stuff like that, but as a general idea what do people think? -Eric

16 years, 7 months

4
3
0 / 0

audit_log_user_message question

by LC Bruzenak

In looking at the user application audit I'm wondering why there is a "hostname" field there? I understand the obvious answer but would think I'd trust the auditd or audispd more than an application for the hostname answer, and those would be consistent. Thx, LCB. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com

16 years, 7 months

2
3
0 / 0

audit 1.7.4 released

by Steve Grubb

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Fix interpreting of keys in syscall records - Interpret audit rule config change list fields - Don't error on name=(null) PATH records in ausearch/report - Add key report to aureport - Fix --end today to be now - Added python bindings for auparse_goto_record_num - Update system-config-audit to 0.4.7 (Miloslav Trmac) - Add support for the filetype field option in auditctl - In audispd boost priority after starting children This release is a mix of bug fixes and new features. The bug fixes are what is driving the release earlier than what I'd like. I was doing some testing and found that a lot of keys were not being interpreted correctly. I think many were coming back as (null) which looks pretty normal if you don't use the keys. Anyways, this is fixed. I also found that ausearch/report were not processing some events correctly when the PATH record's name field was (null). The result of this was that the event was being discarded in search results. With the new interest in keys, I added a key report to aureport. This presents a listing of what keys & quantities have been found in a given time frame. During testing of that, I found that "--end today" was not behaving as I expected. I really think that when you do aureport --start yesterday --end today, you should see events from yesterday at midnight until now. I added an interpretation for the list in audit watch add/delete events. This will now print the list's name like exit,entry, user, etc. This release also adds support for a new rule field in he 2.6.26 kernel. If you wanted to audit setting the execute bit via the chmod syscal, you would normally write a rule something like this: -a always,exit -S chmod -F a1&0111 but the problem is that this will trigger on chmod 0755 of directories which is pretty common if you want the directory to be searchable. So we added a new option to let you specify what the object's type is, filetype. The new rule would look like this: -a always,exit -S chmod -F a1&0111 -F filetype=file filetype can be file, dir, socket, symlink, char, block, or fifo. And last item I wanted to comment on was the change in priority boost for audispd. I moved the call to nice() until after the child processes were started. This is because audispd should not have to fight with its children for time slices at the higher priority. It has an internal queue that can be extended by admin configurable parameters. The children are now started with the priority inherited from auditd. Please let me know if you run across any problems with this release. -Steve

16 years, 7 months

4
9
0 / 0

Viewing Auditd LOG format (RHEL 4 Workstation: 64bit Kernel 2.6.9-67)

by McCarthy, John D.

Is there a way to view/change the Auditd log format so when I view the logs they are more user friendly to read? I think the auditd.conf file format is FORMAT=RAW, is this the setting and if so can I change it so my logs are less complicated to read. The other log files (SYSTEM or SECURITY) are user easy enough to read; its just the auditd.log files are complicated. Thank You John D. McCarthy Information Assurance Principal Engineer General Dynamics AIS 5200 Springfield Pike Suite 200 Dayton, Ohio 45431-1289 Phone: 937-476-2619 Fax: 937-476-2542

16 years, 7 months

3
2
0 / 0

NISPOM Auditing

by Mathis, Jim

Hello, I need to log file edit attempts when a user doesn't have permission to edit a specific file. For example, a non-root user attempts to edit "/var/log/audit/audit'log" which has a permission setting of 640. Although the user won't be able to edit the file (permission denied) - I'd still like to log the attempt. Here's a snippet of my audit.rules file: ## unsuccessful creation -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation ## unsuccessful open -a exit,always -S open -F exit=-13 -k open ## unsuccessful close -a exit,always -S close -F exit=-13 -k close ## unsuccessful modifications -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods -a exit,always -S renameat -F exit=-13 -k mods ## unsuccessful deletion -a exit,always -S rmdir -S unlink -F exit=-13 -k delete -a exit,always -S unlinkat -F exit=-13 -k delete ## unauthorized change directory (cd) -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd ## Watch Files -w /var/log/audit/audit.log -p rwxa -k audit-log2 Thanks -Jim

16 years, 7 months

3
3
0 / 0

Way too many logs!

by Jeremy Leonard

Here are the rules I'm using: -D -b 8096 -a exit,always -S open -F success=0 -k RULE1 -a exit,always -S unlink -S rmdir -k RULE2 -w /etc/auditd.conf -k RULE3 -w /etc/audit.rules -k RULE4 -a exit,always -S acct -S reboot -S swapon -k RULE5 -a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6 -a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 -a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8 -a exit,always -S lchown -k RULE9 Here is the output of aureport: Summary Report ====================== Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266 Number of changes in configuration: 22 Number of changes to accounts, groups, or roles: 0 Number of logins: 0 Number of failed logins: 0 Number of users: 2 Number of terminals: 4 Number of host names: 2 Number of executables: 33 Number of files: 693 Number of AVC denials: 0 Number of MAC events: 0 Number of failed syscalls: 4052 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 1428 Number of events: 1444530 This is 475mb in ten minutes! Here is how the rule hits add up: RULE1: 4052 RULE2: 601 RULE3: 9 RULE4: 1 RULE5: 0 RULE6: 40 RULE7: 1438239 RULE8: 1503 RULE9: 0 Here is one of the log entries I have so many of. type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect per=400000 success=yes exit=0 a0=13 a1=f692e220 a2=0 a3=0 items=0 ppid=1 pid=4012 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=savd exe=/opt/sophos-av/engine/_/savd.0 subj=unconstrained key="RULE7" How can I exclude this so it doesn't get logged? The rules I have above are required by the government. DIACAP STIG Thanks!

16 years, 7 months

4
5
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit May 2008