multiline entries in audit.rules
by Bryan D. Payne
I just spent a chunk of time debugging an issue with my audit.rules
file. So I just wanted to post here as (1) a feature request and (2)
a note for others that may be heading down this path.
The situation is that I have some longish lines in my
/etc/audit/audit.rules file. So, to clean things up, I broke them
into multiple lines as follows...
Something like this:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F
auid>=1000 -F auid!=4294967295 -k perm_mod
Became this:
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \
-F auid!=4294967295 -k perm_mod
This change, however, breaks the parsing by auditctl.
It would be nice to have the ability to have multiline entries in the
rules file. But in the mean time, hopefully this note could help to
save someone else some time.
Cheers,
-bryan
12 years, 5 months
audit more syscalls during boot before auditd starts?
by Giang Nguyen
Hi,
I am running Ubuntu 12.04 with audit 1.7.18. I notice that if I
specify the kernel boot parameter audit=1 (according to auditd(8)),
then the kernel audits some syscalls to /var/log/syslog before auditd
starts.
However, I am seeing only syscall=1 (write()). I assume there are more
syscalls like fork/clone() and execve() that are not being audited.
Can I make the kernel -- via boot/runtime configuration, not
recompilation -- audit more syscalls before auditd starts?
I googled but did not find the answer or even this exact question.
Jul 19 20:57:53 host kernel: [ 0.000000] Command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
Jul 19 20:57:53 host kernel: [ 0.000000] Kernel command line:
BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-generic ... audit=1
Jul 19 20:57:53 host kernel: [ 0.000000] audit: enabled (after
initialization)
Jul 19 20:57:53 host kernel: [ 0.701807] audit: initializing
netlink socket (enabled)
Jul 19 20:57:53 host kernel: [ 0.701813] type=2000
audit(1342731461.540:1): initialized
Jul 19 20:57:53 host kernel: [ 10.112334] type=1400
audit(1342745872.190:2): apparmor="STATUS" operation="profile_load"
name="/sbin/dhclient" pid=393 comm="apparmor_parser"
Jul 19 20:57:53 host kernel: [ 10.112341] type=1400
audit(1342745872.190:3): apparmor="STATUS" operation="profile_replace"
name="/sbin/dhclient" pid=550 comm="apparmor_parser"
Jul 19 20:57:53 host kernel: [ 10.112345] type=1300
audit(1342745872.190:2): arch=c000003e syscall=1 success=yes
exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
Jul 19 20:57:53 host kernel: [ 10.112353] type=1300
audit(1342745872.190:3): arch=c000003e syscall=1 success=yes
exit=70195 ... exe="/sbin/apparmor_parser" key=(null)
...
...
Jul 19 20:58:16 host auditd[1217]: Init complete, auditd 1.7.18
listening for events (startup state enable)
Jul 19 20:58:16 host kernel: [ 34.614216] auditd (1217):
/proc/1217/oom_adj is deprecated, please use /proc/1217/oom_score_adj
instead.
Thanks.
12 years, 5 months
Re: Sucess or failure?
by yersinia
Well, i am pretty sure that pci dss could consider this a success.
This is because the standard speak of "security" relevant event , in
the same vain of the common criteria standards does. And some distro
that include the linux audit subsystem are common criteria certified (
check in the doc of the audit, package some example configuration for
these standards, Well documented).
Hope this help
best regards
2012/7/22, Michael Mather <michael.mather(a)teksavvy.com>:
> Thanks for the replies.
>
> The problem is that the PCI requirements say:
>
> 10.3 Record at least the following audit trail entries for all system
> components for each event:
> ...
> 10.3.4 Success or failure indication.
>
> I don't know if PCI would accept the notion that this was success.
>
> Michael
> -------
>
> On Sun, 2012-07-22 at 07:52 +0200, yersinia wrote:
>> >From the point of view of the linux kernel, and of the audit, you have
>> the right to execute the cp, you don't have permission denied. So the
>> result is success.
>>
>> Best regards
>>
>> 2012/7/22, Michael Mather <michael.mather(a)teksavvy.com>:
>> > Hi,
>> >
>> > I enter the command "sudo cp qwerty /etc/xxx"
>> > and get the reply: "cp: cannot stat `qwerty': No such file or
>> > directory."
>> >
>> > A number of log entries are written. The last two are, in part:
>> >
>> > type=SYSCALL success=yes
>> > type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
>> >
>> > My problem is with "success=yes".
>> >
>> > What is happening?
>> >
>> > Thanks - Michael Mather
>> > -----------------------
>> >
>> >
>> >
>> > --
>> > Linux-audit mailing list
>> > Linux-audit(a)redhat.com
>> > https://www.redhat.com/mailman/listinfo/linux-audit
>> >
>>
>
>
>
--
Inviato dal mio dispositivo mobile
12 years, 5 months
Sucess or failure?
by Michael Mather
Hi,
I enter the command "sudo cp qwerty /etc/xxx"
and get the reply: "cp: cannot stat `qwerty': No such file or directory."
A number of log entries are written. The last two are, in part:
type=SYSCALL success=yes
type=EXECVE argc=3 a0="cp" a1="qwerty" a2="/etc/xxx"
My problem is with "success=yes".
What is happening?
Thanks - Michael Mather
-----------------------
12 years, 5 months
issues building/running with kernel/audit.h AUDIT_DEBUG = 2
by Peter Moody
I'm trying to track down an issue for one of my users where auditd
seems to be tickling another kernel bug (stack trace below) and I've
run into a couple of issues when bumping AUDIT_DEBUG in kernel/audit.h
1) kernel refuses to build (I can send a patch for this if you'd like).
kernel/auditsc.c: In function 'audit_free_names':
kernel/auditsc.c:1008:45: error: 'i' undeclared (first use in this function)
kernel/auditsc.c:1008:45: note: each undeclared identifier is reported
only once for each function it appears in
2) with i declared and initialized, the kernel seems to hang in
audit_free_names. The box doesn't actually freeze, but nothing is
written to /var/log/kern.log and all terminals become unresponsive
(but the mouse still works).
So I guess I actually have two issues here; the one causing the
initial BUG and the one with cranking up the audit debugging
information.
Anyone have any idea what's going on?
Almost forgot. This stack trace is from 3.2.5 but this problem
persists into at least 3.5-rc5. I can attach configs if needed.
stack trace:
[32581.835894] kernel BUG at fs/buffer.c:1263!
[32581.835898] invalid opcode: 0000 [#1] SMP
[32581.835903] last sysfs file: /sys/devices/system/cpu/sched_mc_power_savings
[32581.835906] CPU 0
[32581.835910] Pid: 14899, comm: python2.6 Not tainted
2.6.38.8-gg868-ganetixenu #1
[32581.835917] RIP: e030:[<ffffffff81153853>] [<ffffffff81153853>]
__find_get_block+0x1f3/0x200
[32581.835927] RSP: e02b:ffff88067cfcdc78 EFLAGS: 00010046
[32581.835931] RAX: ffff8807be6b0000 RBX: ffff8807740c50f0 RCX: 00000000007e980a
[32581.835935] RDX: 0000000000001000 RSI: 00000000007e980a RDI: ffff8807b8cad380
[32581.835939] RBP: ffff88067cfcdcd8 R08: 0000000000000001 R09: ffff8807740c5018
[32581.835944] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8807740c501c
[32581.835949] R13: ffff8807740c5048 R14: ffff8807fef36210 R15: 00000000007e980a
[32581.835955] FS: 00007f37fd752700(0000) GS:ffff8807fff26000(0063)
knlGS:0000000000000000
[32581.835960] CS: e033 DS: 002b ES: 002b CR0: 000000008005003b
[32581.835965] CR2: 00000000ea515000 CR3: 000000068522b000 CR4: 0000000000002660
[32581.835970] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[32581.835975] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[32581.835979] Process python2.6 (pid: 14899, threadinfo
ffff88067cfcc000, task ffff8806e772da80)
[32581.835984] Stack:
[32581.835986] ffff88067cfcdc98 ffffffff81654cd1 ffff88067cfcdca8
ffff8807740c5a98
[32581.835994] ffff88067cfcdd08 ffffffff811c9294 ffff8806ffffffc3
0000000000000014
[32581.836001] ffff8807740c50f0 ffff8807740c501c ffff8807740c5048
ffff8807fef36210
[32581.836009] Call Trace:
[32581.836015] [<ffffffff81654cd1>] ? down_read+0x11/0x30
[32581.836021] [<ffffffff811c9294>] ? ext3_xattr_get+0xf4/0x2b0
[32581.836027] [<ffffffff811baf88>] ext3_clear_blocks+0x128/0x190
[32581.836032] [<ffffffff811bb104>] ext3_free_data+0x114/0x160
[32581.836037] [<ffffffff811bbc0a>] ext3_truncate+0x87a/0x950
[32581.836042] [<ffffffff812133f5>] ? journal_start+0xb5/0x100
[32581.836047] [<ffffffff811bc840>] ext3_evict_inode+0x180/0x1a0
[32581.836052] [<ffffffff8114065f>] evict+0x1f/0xb0
[32581.836058] [<ffffffff81006d52>] ? check_events+0x12/0x20
[32581.836063] [<ffffffff81140c14>] iput+0x1a4/0x290
[32581.836068] [<ffffffff8113ed05>] dput+0x265/0x310
[32581.836072] [<ffffffff81132435>] path_put+0x15/0x30
[32581.836078] [<ffffffff810a5d31>] audit_syscall_exit+0x171/0x260
[32581.836084] [<ffffffff8103ed9a>] sysexit_audit+0x21/0x5f
[32581.836088] Code: 82 00 05 01 00 85 c0 75 de 65 48 89 1c 25 00 05
01 00 e9 87 fe ff ff 48 89 df e8 e9 fc ff ff 4c 89 f7 e9 02 ff ff ff
0f 0b eb fe <0f> 0b eb fe 0f 0b eb fe 0f 1f 44 00 00 55 48 89 e5 41 57
49 89
[32581.836141] RIP [<ffffffff81153853>] __find_get_block+0x1f3/0x200
[32581.836146] RSP <ffff88067cfcdc78>
[32581.836157] ---[ end trace 0658a2308b35c81e ]---
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 5 months
PCI-DSS: Log every root actions/keystrokes but avoid passwords
by Florian Crouzat
Hi,
This is my first message to the list to please be indulgent, I might be
mixing concepts here between auditd, selinux and pam. Any guidance much
appreciated.
For PCI-DSS, in order to be allowed to have a real root shell instead of
firing sudo all the time (and it's lack of glob/completion), I'm trying
to have any commands fired in any kind of root shell logged. (Of course
it doesn't protect against malicious root users but that's off-topic).
So, I've been able to achieve that purpose by using :
$ grep tty /etc/pam.d/{su*,system-auth}
/etc/pam.d/su:session required pam_tty_audit.so enable=root
/etc/pam.d/sudo:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/sudo-i:session required pam_tty_audit.so open_only enable=root
/etc/pam.d/su-l:session required pam_tty_audit.so enable=root
/etc/pam.d/system-auth:session required pam_tty_audit.so disable=*
enable=root
Every keystroke are logged in /var/log/audit/audit.log which is great.
My only issue is that I just realized that prompt passwords are also
logged, eg MySQL password or Spacewalk, etc.
I can read them in plain text when doing "aureport --tty -if
/var/log/audit/audit.log and PCI-DSS forbid any kind of storage of
passwords, is there a workaround ? Eg: don't log keystrokes when the
prompt is "hidden" (inputting a password)
I'd like very much to be able to obtain real root shells for ease of
work (sudo -i) my only constraint beeing: log everything but don't store
any password.
Thanks,
--
Cheers,
Florian Crouzat
12 years, 5 months
Issues with auditd kernel panic and nfs mounts
by Vaughn, Chad M
Has anybody had any issues with auditd causing a panic upon restart or shutdown? We are using Redhat 5.4 with base auditd. We have diskless clients, thus the /etc and /var are being served from an NFS server. The following rules cause the system to panic when we try to /etc/init.d/auditd restart or just shut the system down. We have hundreds of other Redhat clients with local disks and have not had any problems with these rules until we tried diskless and NFS.
We can comment out the rules listed below and then no problem, but we want to watch /etc and /var. I assume it's something to do with NFS but can't track it down. Any ideas? Thanks.
Example of rules entries that are expected to be causing issues:
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=100 -F auid!=4294967295 -F dir=/var -k sro
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=100 -F auid!=4294967295 -F dir=/var -k sro
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295 -F dir=/etc -k sro
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=100 -F auid!=4294967295 -F dir=/var -k sro
--
Regards,
Chad Vaughn
chad.m.vaughn(a)lmco.com<mailto:chad.m.vaughn@lmco.com>
12 years, 5 months
retrieve EIP/RIP for syscall in audit
by Xiaokui Shu
Hello,
I have a question about one of the features of audit.
Can I use audit to log the EIP/RIP at time of syscall? There is a "-i"
flag in strace that does the work.
When I compare the mechanisms of audit and strace(ptrace), I find
maybe it is not possible for strace to do so. Audit is on the kernel
side of a syscall, and does not know the audited program's internal
information (I am not sure if I understand it right). However, one can
still fetch extra information out of the syscall event (e.g. block a
syscall when coming, check the audited program stack and clear
blocking), but it may bring much overhead.
Best,
Xiaokui
12 years, 5 months
Output of aureport in columns
by Michael Mather
Hi,
I have managed to find an easy way to put the output of aureport into
neat columns. For example:
aureport -i -f | sed 's/=====/==== /g' | column -t
However, if I combine this with ausearch, as in:
ausearch -k ROOT |aureport -i -f | sed .....
then some lines come out properly and some have extra data that shifts
everything off. For example, here are two successive lines from the
output. The first has 9 fields and the second 15:
311. 12-07-12 16:21:03 /proc/self/loginuid open yes /usr/bin/sudo mm 597
312. 12-07-12 16:21:03 (null) inode=970 dev=08:01 mode=0100755 ouid=0
ogid=0 rdev=00:00 execve yes /sbin/aureport root 599
What is happening?
Thanks - Michael Mather
-----------------------
12 years, 5 months
How to capture mount event in /var/log/audit/audit.log
by Betty Man
Hi Linda
Thanks for the response,
>> $ mount /dev/hdc /dev/cdrom
>> mount: only root can do that
$ strace mount
shows a few lines plus the following:
open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES
(Permission denied)
Then the root window that has tail -f /var/log/audit/audit.log
does capture unsuccessful mount with exit=-13
I need /var/log/audit/audit.log to be able to capture the mount event
automatically without strace intervention.
Betty
---------- Forwarded message ----------
From: Betty Man <man.bty(a)gmail.com>
Date: Fri, Jul 6, 2012 at 10:53 PM
Subject: capture mount event in /var/log/audit/audit.log
To: linux-audit(a)redhat.com
Hi Everyone,
in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5
Have the following in the /etc/audit/audit.rules
## non-privilege users using mount command.
-a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
-a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
from a general user account
$ mount /dev/hdc /dev/cdrom
mount: only root can do that
but /var/log/audit/audit.log does not capture this event
Any input is much appreciated!
Thanks in advance
Betty
12 years, 5 months