AUTO: Gavin Appleton is out of the office. (returning 23/08/2012)
by Gavin Appleton
I am out of the office until 23/08/2012.
Note: This is an automated response to your message "Linux-audit Digest,
Vol 95, Issue 12" sent on 21/8/2012 5:00:04 PM.
This is the only notification you will receive while this person is away.This e-mail is confidential and, if you are not the intended recipient, please return it to us and do not retain or disclose it. We filter and monitor e-mails in order to protect our system and the integrity, confidentiality and availability of e-mails. We cannot guarantee that e-mails are risk free and are not responsible for any related damage or unauthorised alteration of e-mails by third parties after sending.
For more information on Standard Life group, visit our website http://www.standardlife.com/
Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) and Standard Life Employee Services Limited (SC271355) are all registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services Authority. 0131 225 2552. Calls may be recorded/monitored. Standard Life group includes Standard Life plc and its subsidiaries.
12 years, 2 months
GPL-less alternatives to the Audit Userland
by Nathaniel Husted
For a while I've been working on a project that ports/forks Audit to
the Android platform (https://github.com/nwhusted/AuditdAndroid). I
currently have a proof of concept in operation and I am working on
getting the relevant kernel code back-patched and the userland code
integrated in Android. One of the primary issues raised at the moment
is the Android Open Source Project code base is not compatible with
GPL code. I am currently unaware of any userland audit interface that
is not under the GPL. I was wondering if anyone on the list knew of
any, if they even exist? Any information is much appreciated.
Cheers,
Nathaniel Husted
12 years, 2 months
cross-compiling difficulty with on-the-fly gen/build/use paradigm
by John Baron
I'm having a problem trying to cross-compile audit. The problem is that
gen_actiontabs_h is built using the cross-compiler (for ARM), and then it's
asked to run on the host (x86_64). [I've seen some discussion of cross-
compiling, but this issue hasn't been brought up, AFAICT]
make all-recursive
make[1]: Entering directory `/src/blah-blah/external-3rdparty/audit'
Making all in lib
make[2]: Entering directory `/src/blah-blah/external-3rdparty/audit/lib'
arm_v5t_le-gcc -DHAVE_CONFIG_H -I. -I.. -I. -I.. -I../auparse -I/include -
I/include -L/lib -fPIC -DPIC -D_GNU_SOURCE '-DTABLE_H="actiontab.h"' -g -O2 -MT
gen_actiontabs_h-gen_tables.o -MD -MP -MF .deps/gen_actiontabs_h-gen_tables.Tpo
-c -o gen_actiontabs_h-gen_tables.o `test -f 'gen_tables.c' || echo
'./'`gen_tables.c
mv -f .deps/gen_actiontabs_h-gen_tables.Tpo .deps/gen_actiontabs_h-gen_tables.Po
/bin/sh ../libtool --tag=CC --mode=link arm_v5t_le-gcc -fPIC -DPIC -
D_GNU_SOURCE '-DTABLE_H="actiontab.h"' -g -O2 -L/lib -L/lib -o gen_actiontabs_h
gen_actiontabs_h-gen_tables.o
libtool: link: arm_v5t_le-gcc -fPIC -DPIC -D_GNU_SOURCE -
DTABLE_H=\"actiontab.h\" -g -O2 -o gen_actiontabs_h gen_actiontabs_h-
gen_tables.o -L/lib
./gen_actiontabs_h --lowercase --i2s --s2i action > actiontabs.h
/bin/sh: ./gen_actiontabs_h: cannot execute binary file
make[2]: *** [actiontabs.h] Error 126
make[2]: Leaving directory `/src/blah-blah/external-3rdparty/audit/lib'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/src/blah-blah/external-3rdparty/audit'
make: *** [all] Error 2
Is there a simple way around this? A complex way, perhaps? Extra points for
simple!
Thanks
- John
12 years, 2 months
AUTO: Gavin Appleton is out of the office. (returning 20/08/2012)
by Gavin Appleton
I am out of the office until 20/08/2012.
Note: This is an automated response to your message "Linux-audit Digest,
Vol 95, Issue 10" sent on 18/8/2012 5:00:03 PM.
This is the only notification you will receive while this person is away.
This e-mail is confidential and, if you are not the intended recipient, please return it to us and do not retain or disclose it. We filter and monitor e-mails in order to protect our system and the integrity, confidentiality and availability of e-mails. We cannot guarantee that e-mails are risk free and are not responsible for any related damage or unauthorised alteration of e-mails by third parties after sending.
For more information on Standard Life group, visit our website http://www.standardlife.com/
Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) and Standard Life Employee Services Limited (SC271355) are all registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services Authority. 0131 225 2552. Calls may be recorded/monitored. Standard Life group includes Standard Life plc and its subsidiaries.
12 years, 2 months
aureport and command lines
by Michael Mather
I have written my own version of aureport. It is still buggy etc, but it
does already provide something interesting.
For example, it can show command lines. It takes something in the log
like:
uid=1000 euid=0
argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx"
uid = 0 euid=0
argc=4 a0="cp" a1="qwerty" a2="/etc/xxx"
and puts out:
uid euid command
--- ---- -------
1000 0 sudo cp qwerty /etc/xxx
0 0 cp qwerty /etc/xxx
which is interesting.
My question is whether I could have done something like this with
aureport.
(This is part of a much bigger question as to how audit can be used to
meet PCI requirements.)
Thanks - Michael
----------------
12 years, 2 months
Advice on enriching logs with user and group names before moving them to a central log repository
by Burn Alting
Hi,
I have a scenario of a mixed collection of Linux systems, some that have
users authenticate via a central ldap, others have local (/etc/passwd)
authentication.
This means I cannot 100% depend that the user name say, fred, with uid
1000, has the same uid on every machine he has an account on. Thus
before I send my logs to
a central server, I want to enrich them with user and group names I
validate at the local machine. That is, I want to change an event's ids
from
.... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43
sgid=43 fsgid=43 ....
to
.... uid=1000(fred) gid=1000(prog) euid=1000(fred)
suid=1000(fred) fsuid=1000(fred) egid=43(utmp) sgid=43(utmp)
fsgid=43(utmp) ....
I BELIEVE my best approach is use the event multiplexor (audispd) to
convert raw logs via a child program, say based on the sample code,
audisp-example (i.e. using the auparse library)
and send the output of this audisp-example variant to syslog to get
the event to a central repository.
Is this the best approach?
Are there parameters I should consider for audisp.conf (e.g. q_depth =
99999)? Does such a configuration option in audisp.conf suggest I make
the buffer size set in audit.rules to something higher?
Is there any consideration to having auditd have a option to directly
generate user and group names in addition to uid and gids?
Thanks in advance
Burn
12 years, 2 months
100% reliable Oops
by Peter Moody
This seems to be some combination of Xen and the audit subsystem, but
the attached program crashes my machine 100% of the time.
steps to reproduce the crash:
* 1) compile with gcc -m32
* 2) start auditd, install any rule (I've only tested syscall
auditing, but any syscall seems to work).
* /etc/init.d/auditd start ; auditctl -D ; auditctl -a
exit,always -F arch=64 -S chmod
* 3) run'n wait (this only loops twice for me before dying)
* ./a.out
* 4) bask in instantaneous kernel oops.
It's running 2.6.38.8 (but I've seen this bug all the way up to
3.5.0-rc7, the latest I've tested). It's a fairly beefy setup, 32G
memory and 6 cpus.
It's a little bit funky in that it's a 64 bit system and a 32 bit
binary, but something about that 64 bit/32 bit mismatch and the fact
that this is not running on bare metal leads to a crash 100% of the
time.
Any one have any idea what's going on?
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12 years, 2 months
missing user name
by Harris, Todd
I'm looking at a problem that has me really scratching my head.
I've got a rhel 5.4 system that's using likewise and active directory to authenticate users, at least ones that are not defined locally. Locally defined users work just fine, but any user that is defined in the active directory server is showing up in events as "unknown(uid)" the uid appears to be filled out correctly, and if the user is defined locally as well as in active directory it works just fine, but that kind of defeats the purpose. Also failed logins are showing up correctly, but I can't figure out what they have done to their system to cause this. Can anyone give me a little direction on where I should look to determine what's actually going on. I haven't been able to determine how the system actually resolves the user names.
Don't know if this is important but we are using the prelude plugin and where we notice the discrepancy is in the output from the prelude-manager, I have not looked to see if it's wrong in the aureords.
_______________________________
Todd Harris
Progeny Systems
Office Number: 703-368-6107 ext517
12 years, 3 months