Re: audit 2.0.4 auid problem
by Jean-Francois Vincent
I would like to audit specifically interactive actions taken from the
console ttys (ttyS0,ttyS1,tty-1-6) and I've just discovered the /bin/login
we use here was compiled without PAM libs. So I guess I will not be able to
get auid nor TTY auditing...
By the way is there any way/future way to filter on TTY (at least just for
syscalls where the tty= appears in) using auditctl -F option ? It seems -F
includes a lot of objects but not tty ?
Regards
JF
> -----Message d'origine-----
> De : Steve Grubb [mailto:sgrubb@redhat.com]
> Envoyé : jeudi 3 juin 2010 16:30
> À : linux-audit(a)redhat.com
> Cc : Jean-Francois Vincent
> Objet : Re: audit 2.0.4 auid problem
>
> On Thursday, June 03, 2010 09:55:35 am Jean-Francois Vincent wrote:
> > 1 ) Is there any bug with auid always set to 4294967295 ?
>
> You need pam_loginuid added to crond, gdm, login, kdm, sshd, vsftpd, or any
> pamified entry point daemon. (but not sudo or su.)
>
>
> > 2) I've also searched for logging commands specifics to a TTY but it
> seems
> > auditd cannot filter on one specific TTY. I've looking for auditctl -F
> > options but I don't see any TTY filtering option. Is it possible ?
>
> Look for pam_tty_audit man page.
>
> -Steve
>
>
14 years, 6 months
audit 2.0.4 auid problem
by Jean-Francois Vincent
Hello,
I've compiled audit audit-2.0.4 on our linux from scratch version.
Heres is the log of the command date issued by the user "system" :
May 27 10:20:36 doma audispd: node=doma type=SYSCALL
msg=audit(1274948436.000:57884): arch=c000003e syscall=59 success=yes exit=0
a0=6cf250 a1=6cf730 a2=6cf510 a3=0 items=2 ppid=26772 pid=27006
auid=4294967295 uid=1000 gid=19 euid=1000 suid=1000 fsuid=1000 egid=19
sgid=19 fsgid=19 tty=tty1 comm="date" exe="/bin/date" key=(null)
May 27 10:20:36 doma audispd: node=doma type=EXECVE
msg=audit(1274948436.000:57884): a0="date"
May 27 10:20:36 doma audispd: node=doma type=PATH
msg=audit(1274948436.000:57884): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00
Here's the same report of the date command after the user "system" changed
its id using sudo su - :
May 27 10:22:13 doma audispd: node=doma type=SYSCALL
msg=audit(1274948533.407:58095): arch=c000003e syscall=59 success=yes exit=0
a0=6d4b20 a1=6d4ff0 a2=6d4de0 a3=0 items=2 ppid=27175 pid=27181
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty1 comm="date" exe="/bin/date" key=(null)
May 27 10:22:13 doma audispd: node=doma type=EXECVE
msg=audit(1274948533.407:58095): a0="date"
May 27 10:22:13 doma audispd: node=doma type=PATH
msg=audit(1274948533.407:58095): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00
1 ) Is there any bug with auid always set to 4294967295 ?
2) I've also searched for logging commands specifics to a TTY but it seems
auditd cannot filter on one specific TTY. I've looking for auditctl -F
options but I don't see any TTY filtering option. Is it possible ?
Regards
JF Vincent
14 years, 6 months
Audit 2.0.4 auid issue
by Eric Patate
Hello,
I would like to configure auditd to only log events issued by some users
acting as root after a 'sudo su -'
Unfortunately, after the user system makes a "sudo su -" the ids of user are
the same as root.
Heres is the log of the command date issued by the user "system" uid 500
May 27 10:20:36 doma audispd: node=doma type=SYSCALL
msg=audit(1274948436.000:57884): arch=c000003e syscall=59 success=yes exit=0
a0=6cf250 a1=6cf730 a2=6cf510 a3=0 items=2 ppid=26772 pid=27006
auid=4294967295 uid=1000 gid=19 euid=1000 suid=1000 fsuid=1000 egid=19
sgid=19 fsgid=19 tty=tty1 comm="date" exe="/bin/date" key=(null)
May 27 10:20:36 doma audispd: node=doma type=EXECVE
msg=audit(1274948436.000:57884): a0="date"
May 27 10:20:36 doma audispd: node=doma type=PATH
msg=audit(1274948436.000:57884): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00
Here's the same report of the date command after the user "system" changed
its id using sudo su - :
May 27 10:22:13 doma audispd: node=doma type=SYSCALL
msg=audit(1274948533.407:58095): arch=c000003e syscall=59 success=yes exit=0
a0=6d4b20 a1=6d4ff0 a2=6d4de0 a3=0 items=2 ppid=27175 pid=27181
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty1 comm="date" exe="/bin/date" key=(null)
May 27 10:22:13 doma audispd: node=doma type=EXECVE
msg=audit(1274948533.407:58095): a0="date"
May 27 10:22:13 doma audispd: node=doma type=PATH
msg=audit(1274948533.407:58095): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00
Any idea for me to idendify the primary login user for one specific command
?
At first I've though it was auid but its value is always set at 4294967295
I've also searched for logging commands specifics to a TTY but it seems
auditd cannot filter on one specific TTY.
I've compiled and run audit on our own version of linux.
Regards
FP.
14 years, 6 months
Auditing tcpdump&co
by Jure Simsic
Hi,
I'm trying to catch all events of any net sniffers aka tcpdump, snoop,
ethereal... I think I managed to make a rule that will do that:
-a entry,always -S socketcall -F euid=0 -F a0=3
I've played around and I think it does the trick. Do you see any problems
with this rule?
The problem I'm trying to solve now is how to get a daily report of all such
events. I was trying to filter it on
ausearch -m SYSCALL -sc socketcall -ue 0
but I get all possilble sshd,ftpd and the bunch as well.. I could do post
processing with a whitelist and ignore all I know are ok, but it would be
much nicer if I could get the search a bit narrower in the first place. Any
ideas?
Thanks
Jure
14 years, 6 months
