what does the arch= hex number represent?
by Peter Moody
What does the hex number after arch= mean?
64bit seems to always be c000003e and 32bit seems to be 40000003, but
I'd feel a lot better setting up log monitoring if I knew what they
actually represented.
$ sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) ...
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 11 months
Capture System Time Changes
by Rye, Gene R.
I am using both the NISPOM and STIG rules for my audit.rules file. As
root, if I perform a system time change, it does not capture this
information in either /var/log/secure or var/log/audit/audit.log. How
can I capture when someone changes the time or attempts to change the
time?
12 years, 11 months
linux auditd: Not getting log for chmod syscall
by bharat gupta
Hi,
I am using redhat 6, and trying to create logs for some system call using
the rule given below:
*-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500
-F auid!=4294967295 -k perm_mod*
After running command chmod i was not able to get any log, but when i used
strace command i have seen that syscall have been called.
I also checked that auditd service is running properly.
May you guide me why i am not able to get any log message.
i also checked by writting rule for 32 bit, but problem still not resolved.
--
Bharat Gupta
IIT -Roorkee
12 years, 11 months
Path ignored but syscall event still logged
by Max Williams
Hi All,
I have a system that is logging many events for a path that I think should be ignored...
[root@host1 ~]# auditctl -l
LIST_RULES: exit,always dir=/etc/audit (0xa) perm=wa key=auditd_configuration
LIST_RULES: exit,always dir=/etc/audisp (0xb) perm=wa key=auditd_configuration
LIST_RULES: exit,always watch=/etc/libaudit.conf perm=wa key=auditd_configuration
LIST_RULES: exit,always watch=/etc/sysconfig/auditd perm=wa key=auditd_configuration
LIST_RULES: exit,never dir=/etc/lvm/cache (0xe) syscall=all
LIST_RULES: exit,never dir=/opt (0x4) syscall=all
LIST_RULES: exit,never dir=/tmp (0x4) syscall=all
LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all
LIST_RULES: exit,never dir=/naab2 (0x6) syscall=all
LIST_RULES: exit,never dir=/ab1 (0x4) syscall=all
LIST_RULES: exit,never dir=/ab2 (0x4) syscall=all
LIST_RULES: exit,always perm=a key=file_attributes
LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=file_attributes syscall=ioctl
LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=-2146933247 (0x80086601) key=file_attributes syscall=ioctl
LIST_RULES: exit,always arch=3221225534 (0xc000003e) exit=-13 (0xfffffff3) key=invalid_logical_access syscall=open
LIST_RULES: exit,always dir=/bin (0x4) perm=wa key=bin_modification
LIST_RULES: exit,always dir=/boot (0x5) perm=wa key=boot_modification
LIST_RULES: exit,always dir=/etc (0x4) perm=wa key=etc_modification
LIST_RULES: exit,always dir=/home (0x5) perm=wa key=home_modification
LIST_RULES: exit,always dir=/lib (0x4) perm=wa key=lib_modification
LIST_RULES: exit,always dir=/lib64 (0x6) perm=wa key=lib64_modification
LIST_RULES: exit,always dir=/root (0x5) perm=wa key=root_modification
LIST_RULES: exit,always dir=/sbin (0x5) perm=wa key=sbin_modification
LIST_RULES: exit,always dir=/usr (0x4) perm=wa key=usr_modification
LIST_RULES: exit,always dir=/var/spool/at (0xd) perm=wa key=misc_var
LIST_RULES: exit,always dir=/var/spool/cron (0xf) perm=wa key=misc_var
LIST_RULES: exit,never dir=/var (0x4) syscall=all
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=dir_operations syscall=mkdir,rmdir,unlinkat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=link_operation syscall=rename,link,unlink,symlink
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=special_device_creation syscall=mknod,mknodat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=mount_operation syscall=mount,umount2
LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=kernel_module syscall=create_module,init_module,delete_module
LIST_RULES: exclude,always msgtype=CRED_ACQ (0x44f)
LIST_RULES: exclude,always msgtype=CRED_DISP (0x450)
LIST_RULES: exclude,always msgtype=CRYPTO_KEY_USER (0x964)
LIST_RULES: exclude,always msgtype=CRYPTO_SESSION (0x967)
LIST_RULES: exclude,always msgtype=LOGIN (0x3ee)
LIST_RULES: exclude,always msgtype=USER_ACCT (0x44d)
LIST_RULES: exclude,always msgtype=USER_AUTH (0x44c)
LIST_RULES: exclude,always msgtype=USER_CMD (0x463)
LIST_RULES: exclude,always msgtype=USER_END (0x452)
LIST_RULES: exclude,always msgtype=USER_LOGIN (0x458)
LIST_RULES: exclude,always msgtype=USER_START (0x451)
[root@host1 ~]# tail /var/log/audit/audit.log
node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=3 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958573 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=2 name="temp_checkpoint.checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=3 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958614 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=4 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958644 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=4 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00
node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550511): arch=c000003e syscall=82 success=yes exit=0 a0=7ecdb0 a1=7d10e0 a2=7f6c0782dcd4 a3=0 items=4 ppid=14614 pid=16951 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=9372 comm="db-update.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/db_v2/bin/db-update.impl.gcc4p64" key="link_operation"
node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550512): arch=c000003e syscall=82 success=yes exit=0 a0=9a6e50 a1=92e9f0 a2=7fe84e682cd4 a3=0 items=4 ppid=14595 pid=14937 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=10226 comm="multitool.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/bin/multitool" key="link_operation"
node=host1.domain type=CWD msg=audit(1324401918.113:223550511): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873"
node=host1.domain type=CWD msg=audit(1324401918.113:223550512): cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4ef0423c-38fe"
node=host1.domain type=PATH msg=audit(1324401918.113:223550511): item=0 name="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873" inode=30932995 dev=fd:0d mode=040755 ouid=3534 ogid=9001 rdev=00:00
[root@host1 ~]#
I'm referring to event ID 223550511 (key is link_operation) in the logs which is using a path of '/naab1/...'
How come this event is not ignored due to the 8th rule? I think I'm missing something.
Many thanks,
Max
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
12 years, 11 months
linux audit: not getting log for chmod
by bharat gupta
>
> Hi,
>
> I am using redhat 6, and trying to create logs for some system call using
> the rule given below:
>
> *-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500
> -F auid!=4294967295 -k perm_mod*
>
> -> After running command chmod i was not able to get any log, but when i
> used strace command i have seen that syscall have been called.
> -> I also checked that auditd service is running properly.
> -> May you guide me why i am not able to get any log message.
> -> I also checked by writting rule for 32 bit, but problem still not
> resolved.
>
>
->When i have run the command "auditctl -l |grep chmod" i got the output as
given below:
LIST_RULES: exit,always arch=1073741827 (0x40000003) auid>=500 (0x1f4)
auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat
LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4)
auid!=-1 (0xffffffff) key=perm_mod syscall=chmod,fchmod,fchmodat
-> when i am using strace command it is showing that "fchmodat" system call
have been called and i have included that in my rule but still i am not
getting any log. strace command and its output is given below:
*Command* : strace -o /root/bharat/chmodSystemCallOutput.txt chmod 765
/root/bharat/test02
*Output*:
execve("/bin/chmod", ["chmod", "765", "/root/bharat/test02"], [/* 31 vars
*/]) = 0
brk(0) = 0xdbe000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aaa2000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=70036, ...}) = 0
mmap(NULL, 70036, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa36aa90000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\355\1\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1907344, ...}) = 0
mmap(NULL, 3737768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7fa36a4f3000
mprotect(0x7fa36a67a000, 2097152, PROT_NONE) = 0
mmap(0x7fa36a87a000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7fa36a87a000
mmap(0x7fa36a87f000, 18600, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa36a87f000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aa8f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aa8e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fa36aa8d000
arch_prctl(ARCH_SET_FS, 0x7fa36aa8e700) = 0
mprotect(0x7fa36a87a000, 16384, PROT_READ) = 0
mprotect(0x7fa36aaa3000, 4096, PROT_READ) = 0
munmap(0x7fa36aa90000, 70036) = 0
brk(0) = 0xdbe000
brk(0xddf000) = 0xddf000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=99158752, ...}) = 0
mmap(NULL, 99158752, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa364662000
close(3) = 0
umask(0) = 077
stat("/root/bharat/test02", {st_mode=S_IFREG|0777, st_size=18, ...}) = 0
fchmodat(AT_FDCWD, "/root/bharat/test02", 0765) = 0
close(1) = 0
close(2) = 0
exit_group(0)
--
Bharat Gupta
IIT -Roorkee
12 years, 11 months
Relying on syscall record for information and useless key/value duplication
by Eric Paris
So I realized today that we have overlapping information in records and
I don't like it. A great example would be the MAC_STATUS record and how
you can get duplicate info. Looking at that following output.
type=MAC_STATUS msg=audit(1326314451.473:1018): enforcing=0 old_enforcing=1 auid=4166 ses=2
type=SYSCALL msg=audit(1326314451.473:1018): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffc73e1200 a2=1 a3=0 items=0 ppid=3110 pid=21435 auid=4166 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
What you see is that the MAC_STATUS record tells us more than about the
mac status. It also includes the auid and ses. Why only that info?
Why not other info like the SELinux context? What really bothers me is
that We already get that info (and a lot more info) in the SYSCALL
record. I believe this is bogus. What I'd like to do is to create a
new record called the 'TASK_INFO' record that will contain:
ppid pid auid uid gid euid suid fsuid egid sgid fsgid tty ses comm exe
subj
And have this record be 'automagically' emitted any time any record is
emitted. Thus we don't have information duplication and even if you
have rules to exclude the SYSCALL record you still get all the info you
ever needed for the MAC_STATUS record you wanted.
Does this make sense? Is there a reason not to do this? It makes the
code smaller, faster, easier to maintainer, and MUCH easier to prove
correct and complete. It logically separates the info that is from the
task doing the action from the records which are supposed to report on
individual actions.
Shouldn't MAC_STATUS be about the mac status? Shouldn't config change
records be about the config that changed? Shouldn't the xfrm records be
about XFRM? Obviously attributing these actions to a given task is
important, but it isn't being put where it belongs.
12 years, 11 months
Consolidate Audit's msgs
by dump@tzib.net
Hi,
I was wondering if there had already been an effort or solution to
consolidate msgs from auditd into a single line.
I'm talking about buffering the messages until EOE (or timing out/empty
buffer if EOE doesn't come on errors), and concatenating messages with
the same ID into a single message. Potentially also transforming the
message syntax while at it.
I'm asking because some loggers will only accept specific message formats.
I looked at the plugins, but, from what I gather, the kernel sends the
messages as raw strings and I'm not sure of the performance/memory
impact when auditd cranks out a lot of messages.
An alternative could be to send all the msgs as text to a remote auditd
host using audispd-remote, and processing the log file on that host.
It means even more messages to process however and I'm not sure the text
file interface will be fast enough/might have too much disk activity and
break often, etc. if auditd again, cranks out a lot of messages from
many hosts (like several thousand per second).
Any insight?
12 years, 11 months
MAC_IPSEC_EVENT Logged without rules
by Diego Woitasen
Hi,
I have a machine with IPSEC running (Strongswan) and audit to
register some user events. The weird thing is that I'm getting this
messages logged without having any rule:
Jan 6 00:21:43 nodovpn668 audispd: node=nodovpn668
type=MAC_IPSEC_EVENT msg=audit(1325820103.059:2953): op=SA-notfound
src=172.16.0.59 dst=172.16.0.181 spi=2351148309(0x8c23ad15)
seqno=1463943698
My workaround is: auditctl -a exclude,always -F msgtype=MAC_IPSEC_EVENT
Bug or Am I missing something?
Regards,
Diego
--
Diego Woitasen
12 years, 11 months
GUI audit review interface?
by Steve M. Zak
Hi,
Does Red hat provide a GUI interface to view and filter the audit log?
Are you aware of any third party tools?
Thanks!
Steve M. Zak
--
This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com
12 years, 11 months
[PATCH 1/5] audit: allow interfield comparison in audit rules
by Eric Paris
We wish to be able to audit when a uid=500 task accesses a file which is
uid=0. Or vice versa. This patch introduces a new audit filter type
AUDIT_FIELD_COMPARE which takes as an 'enum' which indicates which fields
should be compared. At this point we only define the task->uid vs
inode->uid, but other comparisons can be added.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
include/linux/audit.h | 4 ++++
kernel/auditfilter.c | 5 ++++-
kernel/auditsc.c | 30 +++++++++++++++++++++++++++++-
3 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index c1048b6..7bf31e2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -182,7 +182,10 @@
* AUDIT_UNUSED_BITS is updated if need be. */
#define AUDIT_UNUSED_BITS 0x07FFFC00
+/* AUDIT_FIELD_COMPARE rule list */
+#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
+#define AUDIT_MAX_FIELD_COMPARE AUDIT_COMPARE_UID_TO_OBJ_UID
/* Rule fields */
/* These are useful when checking the
* task structure at task creation time
@@ -225,6 +228,7 @@
#define AUDIT_FILETYPE 108
#define AUDIT_OBJ_UID 109
#define AUDIT_OBJ_GID 110
+#define AUDIT_FIELD_COMPARE 111
#define AUDIT_ARG0 200
#define AUDIT_ARG1 (AUDIT_ARG0+1)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f10605c..a6c3f1a 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -526,7 +526,6 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
goto exit_free;
break;
case AUDIT_FILTERKEY:
- err = -EINVAL;
if (entry->rule.filterkey || f->val > AUDIT_MAX_KEY_LEN)
goto exit_free;
str = audit_unpack_string(&bufp, &remain, f->val);
@@ -543,6 +542,10 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
if (f->val & ~S_IFMT)
goto exit_free;
break;
+ case AUDIT_FIELD_COMPARE:
+ if (f->val > AUDIT_MAX_FIELD_COMPARE)
+ goto exit_free;
+ break;
default:
goto exit_free;
}
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 37ad085..efb1763 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -463,6 +463,32 @@ static int match_tree_refs(struct audit_context *ctx, struct audit_tree *tree)
return 0;
}
+static int audit_field_compare(struct task_struct *tsk,
+ const struct cred *cred,
+ struct audit_field *f,
+ struct audit_context *ctx,
+ struct audit_names *name)
+{
+ struct audit_names *n;
+
+ switch (f->val) {
+ case AUDIT_COMPARE_UID_TO_OBJ_UID:
+ if (name) {
+ return audit_comparator(cred->uid, f->op, name->uid);
+ } else if (ctx) {
+ list_for_each_entry(n, &ctx->names_list, list) {
+ if (audit_comparator(cred->uid, f->op, n->uid))
+ return 1;
+ }
+ }
+ break;
+ default:
+ WARN(1, "Missing AUDIT_COMPARE define. Report as a bug\n");
+ return 0;
+ }
+ return 0;
+}
+
/* Determine if any context name data matches a rule's watch data */
/* Compare a task_struct with an audit_rule. Return 1 on match, 0
* otherwise.
@@ -693,8 +719,10 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_FILETYPE:
result = audit_match_filetype(ctx, f->val);
break;
+ case AUDIT_FIELD_COMPARE:
+ result = audit_field_compare(tsk, cred, f, ctx, name);
+ break;
}
-
if (!result)
return 0;
}
--
1.7.1
12 years, 11 months
