[PATCH 0/8] integrity
by Mimi Zohar
> > The integrity patches are in security-testing-2.6/#next and the auditd
> > patch I just posted to linux-audit. How do you suggest we go forward?
>
> We need to go over the event format and make sure its got everything we need
> in it. We also need to review the code that touches the audit system and make
> sure its using the audit API the way we intended. I'd like to do this on the
> linux-audit mail list so there is a record of it in the audit archives.
>
> Thanks,
> -Steve
As per Steve's request, I'm posting the integrity patches here. These
patches are dependent on the following TPM patches:
http://lkml.org/lkml/2009/2/2/162
http://lkml.org/lkml/2009/2/5/151
The auditd patch was already posted here.
Mimi
James Morris (1):
IMA: fix ima_delete_rules() definition
Mimi Zohar (7):
integrity: IMA hooks
integrity: IMA as an integrity service provider
integrity: IMA display
integrity: IMA policy
integrity: IMA policy open
Integrity: IMA file free imbalance
Integrity: IMA update maintainers
16 years, 1 month
uid<-->username question
by LC Bruzenak
All,
I was thinking about a scheme to retrieve usernames from UIDs on
different machines. I was going to push the passwd file from a
participating audit client up to the server. Then I'll store it uniquely
according to its IP address (e.g. /var/etc/passwd.192.168.10.10).
Then, I'd change the parse code which looks up the username from
getpwuid().
In the case where the host was localhost, I'd still use the getpwuid()
call. In the case where it is another host, I'd use fgetpwent() on the
particular host's passwd file.
I see that the name-value cache will have to be modified or maybe a
UID/hostname/username triplet cache will need to be used instead for
UIDs.
On the sender, I was thinking that I already have an excellent
audit-based file watch in place. Ideally, on a /etc/passwd addition, I'd
like to fire a rule to automatically send the modified hosts file up to
the collector machine.
Any thoughts on this? I realize in most systems an LDAP server is
adequate for federated logins and no code changes or schemes are
necessary. I do not have this and likely never will given my
environment. I also have to ensure that the participating systems do not
reuse old UIDs or remove expired ones from their password file.
I also realize this code change may be of little use to the general
community, but if I do this and others have similar restrictions I'd be
happy to share what I do.
Thx in advance,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 1 month
Do not record auditd events for crond attemps
by Call, Tom H
Steve, et.al.
Here is a representative sample of audit.log entries recorded whenever
cron periodically (every minute) queries for cron entries that need
execution.
"
type=USER_ACCT msg=audit(1236084901.871:2382): user pid=20156 uid=0
auid=4294967295 msg='PAM accounting: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
type=LOGIN msg=audit(1236084901.871:2383): login pid=20156 uid=0 old
auid=4294967295 new auid=0
type=USER_START msg=audit(1236084901.871:2384): user pid=20156 uid=0
auid=0 msg='PAM session open: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
type=CRED_ACQ msg=audit(1236084901.871:2385): user pid=20156 uid=0
auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=CRED_DISP msg=audit(1236084902.141:2386): user pid=20156 uid=0
auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron result=Success)'
type=USER_END msg=audit(1236084902.141:2387): user pid=20156 uid=0
auid=0 msg='PAM session close: user="root" exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron result=Success)'
"
These events typically comprise at least 80% of all the audit.log
entries although they are repetitive thoughout the log and do not
indicate any user attempt to compromise the system.
Is there any relatively straight forward way that I can configure
Auditd to not record events for crond routinely running as root?
I am using audit-1.0.16-3.el4 on CentOS-4.7
Thanks!
Tom Call, LMCO
16 years, 1 month
Re: audit-viewer
by Miloslav Trmac
Hello,
----- "Dan Gruhn" <Dan.Gruhn(a)groupw.com> wrote:
> I am getting this error when audit viewer starts:
>
> # audit-viewer
> Error reading audit events: No such file or directory.
>
> Thinking that perhaps something is pointing to the wrong files, I
> attempted to use Window/Change event source.. . Then I get this:
<snip>
> File "/usr/local/share/audit-viewer/source_dialog.py", line 161, in
>
> __source_log_with_rotated_toggled
> self.source_log.set_active_iter(it)
> TypeError: iter should be a GtkTreeIter
This crash is a bug in audit-viewer, I'll fix it for the next release.
I'm not 100% sure, but I think the problem is caused by the fact that audit-viewer searches for audit logs in the --prefix subtree (as specified by configure). You can verify the used path by running (strings /your/prefix/libexec/audit-viewer-server-real |grep /log/audit); If it is not /var/log/audit, you'll need to rebuild audit-viewer, specifying --localstatedir=/var .
I'll document the necessity to use --localstatedir.
Thank you,
Mirek
16 years, 1 month
strange arguments in some EXEC audit events
by Nikola Ciprich
Hello,
I'd like to ask about one thing regarding audit I don't understand:
We are running auditd configured to log some syscalls (ie exec) and everything works fine, but quite often we're getting
some strange records:
type=SYSCALL msg=audit(1236001721.608:55239): arch=c000003e syscall=59 success=yes exit=0 a0=7f1407a74653 a1=7fff1088d710 a2=12cf580 a3=7f1408884770 items=2 ppid=20278 pid=23246 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=25 comm="sh" exe="/bin/bash" subj=kernel key=(null)
type=EXECVE msg=audit(1236001721.608:55239): argc=3 a0="sh" a1="-c" a2=66696C65202D4C202F7661722F6C6F672F61756469742F61756469742E6C6F6720323E2F6465762F6E756C6C
type=CWD msg=audit(1236001721.608:55239): cwd="/var/log/audit"
type=PATH msg=audit(1236001721.608:55239): item=0 name="/bin/sh" inode=97403 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
type=PATH msg=audit(1236001721.608:55239): item=1 name=(null) inode=63681 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
type=SYSCALL msg=audit(1236001721.609:55240): arch=c000003e syscall=59 success=yes exit=0 a0=11ee410 a1=11ee9d0 a2=11ed260 a3=0 items=2 ppid=23246 pid=23247 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=25 comm="file" exe="/usr/bin/file" subj=kernel key=(null)
I'm not sure what "66696C65202D4C202F7661722F6C6F672F61756469742F61756469742E6C6F6720323E2F6465762F6E756C6C" argument might be, is it somehow encoded string? It seems to remain unchanged across multiple events...
Could somebody shed some light on it for me?
Thanks a lot in advance!
BR
nik
--
-------------------------------------
Nikola CIPRICH
LinuxBox.cz, s.r.o.
28. rijna 168, 709 01 Ostrava
tel.: +420 596 603 142
fax: +420 596 621 273
mobil: +420 777 093 799
www.linuxbox.cz
mobil servis: +420 737 238 656
email servis: servis(a)linuxbox.cz
-------------------------------------
16 years, 1 month
Re: audit-viewer
by Miloslav Trmac
----- "Dan Gruhn" <Dan.Gruhn(a)groupw.com> wrote:
> I have audit-viewer-0.4 and get the following error from "make
> install"
>
> Byte-compiling python modules...
> client.py dialog_base.py event_dialog.py event_source.py filters.py
> format_versions.py list_properties.py list_tab.py File
> "/usr/local/share/audit-viewer/list_tab.py", line 558
> store_data[column + 1] = l.pop(0) if l else ''
> ^
> SyntaxError: invalid syntax
>
> Is it just me or should I try the 0.3 version?
Please apply the attached patch against the src subdirectory.
Mirek
16 years, 1 month