What constitutes -f failure?
by leam hall
The -f flag is set to 0, 1, or 2 and specifies what to do on failure. Is
that "failure" any logging event? Or just logging events when the backlog
is higher than whatever the -b option sets it to?
Thanks!
Leam
--
Mind on a Mission <http://leamhall.blogspot.com/>
12 years, 2 months
auid?
by leam hall
Hey all,
I'm trying to find a definition of "auid", besides "audit UID". If user Joe
with UID 1814 logs in and sudo to application account "british" which has a
UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an
"su -" to root, is their auid 0?
Thanks!
Leam
--
Mind on a Mission <http://leamhall.blogspot.com/>
12 years, 2 months
Re: auid?
by leam hall
James, thanks! I thought that was it, but I have to brief on recommended
audit.rules changes and hate telling someone something when I'm not sure.
Leam
On Tue, Oct 29, 2013 at 3:43 PM, CHAPLIN, JAMES (CTR) <
JAMES.CHAPLIN(a)cbp.dhs.gov> wrote:
> His auid will be 1814 and does not change as long as he is log into that
> account, he can su to any ID, but the auid remains the same.****
>
> ** **
>
> James Chaplin, ITIL® v3 Foundation
> Systems Programmer, MVS, zVM & zLinux
> Base Technologies, a CA Technologies Company
> Supporting the zSeries Platform Team
> ****Data** **Center**** Operations Branch
> Enterprise Data Center Operations Group
> ****Enterprise**** Data Management & Engineering Division
> Office of Information and Technology
> Department of Homeland Security/U.S. Customs & Border Protection
> (703) 921-6220
> James.Chaplin(a)cbp.dhs.gov****
>
> [image: image005]****
>
> ** **
>
> *From:* linux-audit-bounces(a)redhat.com [mailto:
> linux-audit-bounces(a)redhat.com] *On Behalf Of *leam hall
> *Sent:* Tuesday, October 29, 2013 3:40 PM
> *To:* linux-audit(a)redhat.com
> *Subject:* auid?****
>
> ** **
>
> Hey all,
>
> I'm trying to find a definition of "auid", besides "audit UID". If user
> Joe with UID 1814 logs in and sudo to application account "british" which
> has a UID of 1776, is the auid of Joe's action 1814 or 1776? If someone
> does an "su -" to root, is their auid 0?****
>
> Thanks!****
>
> Leam
>
> ****
>
>
> -- ****
>
> Mind on a Mission <http://leamhall.blogspot.com/>****
>
--
Mind on a Mission <http://leamhall.blogspot.com/>
12 years, 2 months
how to use auditd to record all user command history
by zhu xiuming
HI
I know this seems an old topic. But unfortunately, I can't find a solution
for this. I have googled long time. I tried following options:
1. audit execv syscall,
this does record every command typed any tty. However, it generates
lots of noise. Sometimes, the execv syscall is so frequently called that
the system can't afford to log every call of it and it crashes !!!
2. use *pam_tty_audit.so
*
this makes it possible to record one or two users, not all users. *
*
So, may I ask, is this problem solvable by auditd or do I need other tools ?
*
*
*Thanks a lot
*
*
*
12 years, 2 months
Re: how to use auditd to record all user command history
by Aschu
Sent from Huawei Mobile
zhu xiuming <xiumingzhu(a)gmail.com> wrote:
>Thanks a lot.
>
>I think it is better to use audit for me because it is also not so easy to
>get a third-party software installed on our hosts.
>Maybe I am considering how to scrutinize good audit rules of watching
>"execv".
>
>Thanks a lot
>
>
>On Wed, Oct 9, 2013 at 4:23 PM, Smith, Gary R <gary.smith(a)pnnl.gov> wrote:
>
>> Hi,****
>>
>> ** **
>>
>> What’s the “best way to do it” is dependent on your system.****
>>
>> ** **
>>
>> That said, I can offer two non-audit suggestions.****
>>
>> ** **
>>
>> One I call the “Old Shell Game”. Stick this bash code in in the
>> appropriate system wide bash file:****
>>
>> ** **
>>
>> function log****
>>
>> ** **
>>
>> {****
>>
>> ** **
>>
>> typeset x****
>>
>> ** **
>>
>> x=$(history 1 | cut -f 5-)****
>>
>> ** **
>>
>> logger -p daemon.notice -t "$LOGNAME" $PWD "${x# }"****
>>
>> ** **
>>
>> }****
>>
>> ** **
>>
>> trap log DEBUG****
>>
>> ** **
>>
>> And you get things like this in your syslog:****
>>
>> ** **
>>
>> Apr 8 13:50:51 dr-who root: /root 18 ls -ls /etc/pam.d/*su*****
>>
>> Apr 8 13:51:17 dr-who root: /root 19 ps -ef | grep audit | grep -v
>> grep****
>>
>> Apr 8 13:51:53 dr-who root: /root 20 ps -ef | grep -v root | wc –l **
>> **
>>
>> Apr 8 13:52:31 dr-who root: /root 21 ps -ef | grep -v root | sort |
>> more****
>>
>> ** **
>>
>> Is this easy to defeat? Yup. But it will let you get experiment with
>> command logging and see if it’s really of any benefit to you.****
>>
>> ** **
>>
>> Another is use the program called “snoopy” available at
>> http://sourceforge.net/projects/snoopylogger/****
>>
>> ** **
>>
>> It uses a little known feature of the Linux loader, namely, LD_PRELOAD. **
>> **
>>
>> ** **
>>
>> Once you’ve got it in place you get output like this:****
>>
>> ** **
>>
>> Apr 13 16:55:19 dr-who snoopy[2029]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/uname]: uname –a****
>>
>> Apr 13 16:56:18 dr-who snoopy[2031]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps –ef****
>>
>> Apr 13 16:57:50 dr-who snoopy[2035]: [uid:0 sid:1890 tty:/dev/pts/1
>> cwd:/root filename:/bin/ps]: ps -ef ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2036]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep audit ****
>>
>> Apr 13 16:57:50 dr-who snoopy[2037]: [uid:0 sid:1890 tty: cwd:/root
>> filename:/bin/grep]: grep -v grep ****
>>
>> ** **
>>
>> It’s not as easy to circumvent as the above bash code. As a suggestion
>> based on experience, don’t put snoopy into affect until after the system is
>> up. You really don’t want to log all the commands root does in the process
>> of starting up a system.****
>>
>> ** **
>>
>> I hope this helps.****
>>
>> ** **
>>
>> Best regards,****
>>
>> ** **
>>
>> Gary Smith****
>>
>> Information System Security Officer****
>>
>> Pacific Northwest National Laboratory****
>>
>> ** **
>>
>> *From:* linux-audit-bounces(a)redhat.com [mailto:
>> linux-audit-bounces(a)redhat.com] *On Behalf Of *zhu xiuming
>> *Sent:* Wednesday, October 09, 2013 3:11 PM
>> *To:* Steve Grubb
>> *Cc:* Richard Guy Briggs; Linux-audit(a)redhat.com
>> *Subject:* Re: how to use auditd to record all user command history****
>>
>> ** **
>>
>> Thanks. ****
>>
>> I know the kernel do the most work. So, I can't use pam_tty_audit for our
>> hosts. ****
>>
>> However, I still hope to record user command history. I just wonder what
>> is the best way to do it.
>>
>> ****
>>
>> ** **
>>
>> On Wed, Oct 9, 2013 at 2:57 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:****
>>
>> On Wednesday, October 09, 2013 02:51:39 PM zhu xiuming wrote:
>> > So, if I can't update all kernels (the cost will be very high), is there
>> > any other way to resolve this issue?****
>>
>> The kernel is what does all the heavy work in the audit system. Auditd only
>> records to disk, pam_tty_audit and auditctl tell the kernel what they are
>> interested in. But all the action is in the kernel, not user space.
>>
>> -Steve****
>>
>>
>> > On Tue, Oct 8, 2013 at 2:33 PM, Richard Guy Briggs <rgb(a)redhat.com>
>> wrote:
>> > > On Tue, Oct 08, 2013 at 02:05:48PM -0700, zhu xiuming wrote:
>> > > > Thanks for your reply.
>> > > > Currently, our Linux kernel versions are mostly Redhat
>> 2.6.18-xxx.el5. I
>> > > > wonder whether it supports this feature.
>> > >
>> > > The log_passwd feature has not been backported to RHEL5 because the
>> > > pam_tty_audit feature wasn't backported to RHEL5, so I would have to
>> say
>> > > it is not supported in your system.
>> > >
>> > > An upgrade is necessary.
>> > >
>> > > > On Mon, Oct 7, 2013 at 8:13 PM, Richard Guy Briggs <rgb(a)redhat.com>
>> > >
>> > > wrote:
>> > > > > On Mon, Oct 07, 2013 at 10:30:24AM -0700, zhu xiuming wrote:
>> > > > > > This is correct. The problem is, this records every keystrokes
>> and
>> > >
>> > > even
>> > >
>> > > > > > the password of the users. While I only care about the user
>> command
>> > > > > > history, I surely do not want to know their passwords.
>> > > > >
>> > > > > There is now support in the upstream kernel (3.10-rc1) and in pam
>> > > > > (1.1.8+) to not record passwords by default. If you want the old
>> > > > > behaviour, add the optional argument to pam_tty_audit: "log_passwd"
>> > > > >
>> > > > > > On Sun, Oct 6, 2013 at 2:40 PM, Trevor Vaughan <
>> > >
>> > > tvaughan(a)onyxpoint.com
>> > >
>> > > > > >wrote:
>> > > > > > > Does pam_tty_audit with enable=* not do what you want?
>> > > > > > >
>> > > > > > > Trevor
>> > > > > > >
>> > > > > > > On Sun, Oct 6, 2013 at 5:26 PM, zhu xiuming <
>> xiumingzhu(a)gmail.com>
>> > > > >
>> > > > > wrote:
>> > > > > > >> HI
>> > > > > > >> I know this seems an old topic. But unfortunately, I can't
>> find a
>> > > > > > >> solution for this. I have googled long time. I tried following
>> > > > >
>> > > > > options:
>> > > > > > >> 1. audit execv syscall,
>> > > > > > >>
>> > > > > > >> this does record every command typed any tty. However, it
>> > > > >
>> > > > > generates
>> > > > >
>> > > > > > >> lots of noise. Sometimes, the execv syscall is so frequently
>> > >
>> > > called
>> > >
>> > > > > that
>> > > > >
>> > > > > > >> the system can't afford to log every call of it and it crashes
>> > > > > > >> !!!
>> > > > > > >>
>> > > > > > >> 2. use *pam_tty_audit.so
>> > > > > > >> *
>> > > > > > >> this makes it possible to record one or two users, not all
>> users.
>> > >
>> > > *
>> > >
>> > > > > > >> *
>> > > > > > >> So, may I ask, is this problem solvable by auditd or do I need
>> > >
>> > > other
>> > >
>> > > > > > >> tools ?*
>> > > > > > >>
>> > > > > > >> *
>> > > > > > >> *Thanks a lot
>> > > > > > >
>> > > > > > > Trevor Vaughan
>> > > > >
>> > > > > - RGB
>> > >
>> > > - RGB
>> > >
>> > > --
>> > > Richard Guy Briggs <rbriggs(a)redhat.com>
>> > > Senior Software Engineer
>> > > Kernel Security
>> > > AMER ENG Base Operating Systems
>> > > Remote, Ottawa, Canada
>> > > Voice: +1.647.777.2635
>> > > Internal: (81) 32635
>> > > Alt: +1.613.693.0684x3545****
>>
>> ** **
>>
>
>--
>Linux-audit mailing list
>Linux-audit(a)redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit
12 years, 2 months
[PATCH] audit: Add cmdline to taskinfo output
by William Roberts
On some devices, the cmdline and task info vary. For instance, on
Android, the cmdline is set to the package name, and the task info
is the name of the VM, which is not very helpful.
The additional cmdline output only runs if the audit feature
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
This will apply to Richard's tree on branch audit-for-next. This
requires eparis's generic get/set patches.
fs/proc/base.c | 2 +-
include/linux/proc_fs.h | 1 +
include/uapi/linux/audit.h | 4 +++-
kernel/audit.c | 38 +++++++++++++++++++++++++++++++++++++-
4 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 03c8d74..cb1ba2f 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -200,7 +200,7 @@ static int proc_root_link(struct dentry *dentry, struct path *path)
return result;
}
-static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+int proc_pid_cmdline(struct task_struct *task, char *buffer)
{
int res = 0;
unsigned int len;
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index 608e60a..2f386b3 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -41,6 +41,7 @@ extern void *proc_get_parent_data(const struct inode *);
extern void proc_remove(struct proc_dir_entry *);
extern void remove_proc_entry(const char *, struct proc_dir_entry *);
extern int remove_proc_subtree(const char *, struct proc_dir_entry *);
+extern int proc_pid_cmdline(struct task_struct *, char *);
#else /* CONFIG_PROC_FS */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index e2f0d99..5d77124 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -388,7 +388,9 @@ struct audit_features {
#define AUDIT_FEATURE_ONLY_UNSET_LOGINUID 0
#define AUDIT_FEATURE_LOGINUID_IMMUTABLE 1
-#define AUDIT_LAST_FEATURE AUDIT_FEATURE_LOGINUID_IMMUTABLE
+#define AUDIT_FEATURE_CMDLINE_OUTPUT 2
+#define AUDIT_LAST_FEATURE AUDIT_FEATURE_CMDLINE_OUTPUT
+
#define audit_feature_valid(x) ((x) >= 0 && (x) <= AUDIT_LAST_FEATURE)
#define AUDIT_FEATURE_TO_MASK(x) (1 << ((x) & 31)) /* mask for __u32 */
diff --git a/kernel/audit.c b/kernel/audit.c
index 8378c5e..bf4b1af 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -63,6 +63,7 @@
#include <linux/freezer.h>
#include <linux/tty.h>
#include <linux/pid_namespace.h>
+#include <linux/proc_fs.h>
#include "audit.h"
@@ -144,9 +145,10 @@ static struct audit_features af = {.vers = AUDIT_FEATURE_VERSION,
.features = 0,
.lock = 0,};
-static char *audit_feature_names[2] = {
+static char *audit_feature_names[3] = {
"only_unset_loginuid",
"loginuid_immutable",
+ "audit_output_cmdline",
};
@@ -1691,6 +1693,39 @@ error_path:
}
EXPORT_SYMBOL(audit_log_task_context);
+static void audit_log_add_cmdline(struct audit_buffer *ab,
+ struct task_struct *tsk)
+{
+ int len;
+ unsigned long page;
+
+ /* Ensure that the feature is set */
+ if (!is_audit_feature_set(AUDIT_FEATURE_CMDLINE_OUTPUT))
+ return;
+
+ /* Get the process cmdline */
+ page = __get_free_page(GFP_TEMPORARY);
+ if (!page)
+ return;
+
+ len = proc_pid_cmdline(tsk, (char *)page);
+ if (len <= 0) {
+ free_page(page);
+ return;
+ }
+
+ /*
+ * Ensure NULL terminated! Application could
+ * could be using setproctitle(3).
+ */
+ ((char *)page)[len-1] = '\0';
+
+ audit_log_format(ab, " cmdline=");
+ audit_log_untrustedstring(ab, (char *)page);
+
+ free_page(page);
+}
+
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
{
const struct cred *cred;
@@ -1739,6 +1774,7 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
up_read(&mm->mmap_sem);
}
audit_log_task_context(ab);
+ audit_log_add_cmdline(ab, tsk);
}
EXPORT_SYMBOL(audit_log_task_info);
--
1.7.9.5
12 years, 2 months
[PATCH] audit: Add cmdline to taskinfo output
by William Roberts
>From 0a8623b8f9fa625da81364cf3b87d2799171f83e Mon Sep 17 00:00:00 2001
From: William Roberts <wroberts(a)tresys.com>
Date: Tue, 22 Oct 2013 14:23:27 -0700
Subject: [PATCH] audit: Add cmdline to taskinfo output
On some devices, the cmdline and task info vary. For instance, on
Android, the cmdline is set to the package name, and the task info
is the name of the VM, which is not very helpful.
Change-Id: I98a417c9ab3b95664c49aa1c7513cfd8296b6a2a
Signed-off-by: William Roberts <wroberts(a)tresys.com>
---
fs/proc/base.c | 2 +-
include/linux/proc_fs.h | 1 +
kernel/auditsc.c | 24 ++++++++++++++++++++++++
3 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 2f198da..25b73d3 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -209,7 +209,7 @@ struct mm_struct *mm_for_maps(struct task_struct *task)
return mm_access(task, PTRACE_MODE_READ);
}
-static int proc_pid_cmdline(struct task_struct *task, char * buffer)
+int proc_pid_cmdline(struct task_struct *task, char *buffer)
{
int res = 0;
unsigned int len;
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index 85c5073..d85ac14 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -118,6 +118,7 @@ struct pid_namespace;
extern int pid_ns_prepare_proc(struct pid_namespace *ns);
extern void pid_ns_release_proc(struct pid_namespace *ns);
+extern int proc_pid_cmdline(struct task_struct *task, char *buffer);
/*
* proc_tty.c
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 27ad9dd..7f2bf41 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -67,6 +67,7 @@
#include <linux/syscalls.h>
#include <linux/capability.h>
#include <linux/fs_struct.h>
+#include <linux/proc_fs.h>
#include "audit.h"
@@ -1158,6 +1159,8 @@ static void audit_log_task_info(struct audit_buffer
*ab, struct task_struct *tsk
char name[sizeof(tsk->comm)];
struct mm_struct *mm = tsk->mm;
struct vm_area_struct *vma;
+ unsigned long page;
+ int len;
/* tsk == current */
@@ -1179,6 +1182,27 @@ static void audit_log_task_info(struct audit_buffer
*ab, struct task_struct *tsk
}
up_read(&mm->mmap_sem);
}
+
+ /* Get the process cmdline */
+ page = __get_free_page(GFP_TEMPORARY);
+ if (!page)
+ goto out;
+
+ len = proc_pid_cmdline(tsk, (char *)page);
+ if (len <= 0)
+ goto free;
+
+ /*
+ * Ensure NULL terminated! Application could
+ * could be using setproctitle(3).
+ */
+ ((char *)page)[len-1] = '\0';
+
+ audit_log_format(ab, " cmdline=");
+ audit_log_untrustedstring(ab, (char *)page);
+free:
+ free_page(page);
+out:
audit_log_task_context(ab);
}
--
1.7.9.5
12 years, 2 months
auditd without a logfile?
by Peter Moody
Is there anyway to run auditd without any local logging? I'm trying to
see if I can get auditd to completely avoid logging locally, using only
a custom dispatcher to log events remotely but auditd refuses to start
if I set log_file = '/dev/null'.
Cheers,
peter
12 years, 2 months
