Excluding selected CRYPTO_KEY_USER events
by Richard Young
I know I could exclude all msgtype CRYPTO_KEY_USER audit events, but would
like to exclude just specific ones.
I would like to exclude ones for a specific UID, hostname, or IP.
There are many example of how to exclude specific files, directory events,
or syscall events.
Can somebody suggest a way to suppress specific CRYPTO_KEY_USER events by
UID, hostname, or IP?
8 years, 9 months
Patch to auparse to handle out of order messages 1 of 3
by Burn Alting
All,
The TODO for 2.5.1 requested
* Fix auparse to handle out of order messages
The problem was that should a stream of raw auditd logs be processed by
auparse(), then if the records that make up a single auditd event were
interleaved with each other, auparse() would 'silently' discard event
data.
Ausearch/Aureport does not have this problem as it handles such
interleaved event records. The approach to solve this problem was to
take the ausearch/aureport's list of list event record code (lol) and
incorporate it into auparse().
The following three patches address this problem.
#1 - convert the existing code to change auparse's auparse_state_t (aka
struct opaque) event_list_t element 'le' to be a pointer, so the 'lol'
code can more seamlessly fit in.
#2 - the 'lol' patch itself. Integrate the ausearch/aureport 'lol' code
into auparse() and adjust auparse() to deal with maintain an incore list
of incomplete events.
#3 - modify the standard auparse() test code.
Regards
Burn Alting
8 years, 10 months
How to monitor audit/audispd killed
by Matthew Chao
Hi,
I added the following rules in audit.rules for monitoring auditd/audispd be
killed(audit ver: 1.8),
=============
-a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
-a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
Or
-a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
-a exit,always -S kill -F path=/var/run/audispd_events -k cfg
=============
However, these rules don't work: even the processes (auditd/audispd) are
killed, I can't get any related messages except DAEMON_END.
8 years, 10 months
Aureport on Centos 7 : Strange behavior
by Maupertuis Philippe
Hi,
I came across a strange aureport behavior that would amount to a bug unless I am doing something wrong.
I am on Centos 7.2 with :
[root@odbfi021s ~]# rpm -qa|grep audit
audit-libs-2.4.1-5.el7.x86_64
audit-2.4.1-5.el7.x86_64
If I run aureport -k --summary -ts yesterday 09:00 -te yesterday 10:00 I get the answer immediately.
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:00 -te yesterday 10:00
Key Summary Report
===========================
total key
===========================
409 log_IAM
27 IAM64
26 audit_log
23 open64
16 etc
1deletion
Same thing with any round five minutes interval
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:35 -te yesterday 09:40
Key Summary Report
===========================
total key
===========================
1 IAM64
1 log_IAM
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:40 -te yesterday 09:45
Key Summary Report
===========================
total key
===========================
393 log_IAM
16 etc
11 audit_log
3 IAM64
2 open64
1 deletion
But If I request a ten minutes interval or a five minutes interval not starting at zero or five aureport hangs !
[root@odbfi021s ~]# aureport -k --summary -ts yesterday 09:35 -te yesterday 09:45
Key Summary Report
===========================
total key
===========================
^C
Ausearch is ok with the same parameters :
[root@odbfi021s ~]# ausearch -ts yesterday 09:35 -te yesterday 09:45 |head
----
time->Mon Jan 4 09:39:08 2016
type=PATH msg=audit(1451896748.069:31806): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=133906 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=PATH msg=audit(1451896748.069:31806): item=0 name="/sbin/aide" inode=131924 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=CWD msg=audit(1451896748.069:31806): cwd="/root"
type=EXECVE msg=audit(1451896748.069:31806): argc=2 a0="aide" a1="-C"
type=SYSCALL msg=audit(1451896748.069:31806): arch=c000003e syscall=59 success=yes exit=0 a0=11f7d10 a1=11f7bf0 a2=111e8b0 a3=7ffce7b64200 items=2 ppid=21754 pid=21830 auid=3318358 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1230 comm="aide" exe="/usr/sbin/aide" key="IAM64"
----
time->Mon Jan 4 09:39:08 2016
type=PATH msg=audit(1451896748.105:31807): item=1 name="/var/log/aide/aide.log" inode=67 dev=fd:05 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
[root@odbfi021s ~]#
Please let me know what I should do.
Regards
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
8 years, 10 months
Using a watch to find who is using a file
by Maupertuis Philippe
Hi list
Our dbas complained that vim swap file were renamed instead of being deleted
With an audit watch we were able to tell them to stop their silly cron rename job :)
However, the audit log is missing an important piece of information : the job name.
It seems that we didn't capture the exe name associated with the parent pid .
If I am no misunderstanding the results below, pid = 28351 is for the exe /bin/mv
I would have liked to know the exe of the parent pid
Is there a way to ensure that the audit log includes the executable name associated with every pid ?
Or the exe associated with pid starting a new session ?
What we did was :
To find out how vim swap files were renamed without the leading dot a the following rule was inserted :
auditctl -w /etc/mysql -p war -k test_swp
which gave us the following result :
----
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=3 name=param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=2 name=.param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=DELETE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=1 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=0 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/22/2015 11:45:01.766:1660580) : cwd=/etc/mysql
type=SYSCALL msg=audit(12/22/2015 11:45:01.766:1660580) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffe46229db3 a1=0x7ffe46229dc8 a2=0x0 a3=0x7ffe46227c80 items=4 ppid=28254 pid=28351 auid=mysql uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=276356 comm=mv exe=/bin/mv key=swp_move
Searching for the whole session gave us :
----
type=LOGIN msg=audit(12/22/2015 11:45:01.458:1660551) : pid=28174 uid=root old auid=unset new auid=mysql old ses=unset new ses=276356
----
type=USER_START msg=audit(12/22/2015 11:45:01.468:1660570) : user pid=28174 uid=root auid=mysql ses=276356 msg='op=PAM:session_open acct=mysql exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
----
type=CRED_DISP msg=audit(12/22/2015 11:45:01.932:1660589) : user pid=28174 uid=mysql auid=mysql ses=276356 msg='op=PAM:setcred acct=mysql exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
----
type=USER_END msg=audit(12/22/2015 11:45:01.932:1660590) : user pid=28174 uid=mysql auid=mysql ses=276356 msg='op=PAM:session_close acct=mysql exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success'
----
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=3 name=param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=CREATE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=2 name=.param-MYLHCE01V.swp inode=49283 dev=fd:00 mode=file,640 ouid=root ogid=root rdev=00:00 nametype=DELETE
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=1 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=PATH msg=audit(12/22/2015 11:45:01.766:1660580) : item=0 name=/etc/mysql inode=49308 dev=fd:00 mode=dir,755 ouid=mysql ogid=mysql rdev=00:00 nametype=PARENT
type=CWD msg=audit(12/22/2015 11:45:01.766:1660580) : cwd=/etc/mysql
type=SYSCALL msg=audit(12/22/2015 11:45:01.766:1660580) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffe46229db3 a1=0x7ffe46229dc8 a2=0x0 a3=0x7ffe46227c80 items=4 ppid=28254 pid=28351 auid=mysql uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=276356 comm=mv exe=/bin/mv key=swp_move
----
type=PATH msg=audit(12/22/2015 11:45:01.767:1660581) : item=1 name=(null) inode=319568 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(12/22/2015 11:45:01.767:1660581) : item=0 name=/bin/chmod inode=40985 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(12/22/2015 11:45:01.767:1660581) : cwd=/etc/mysql
type=EXECVE msg=audit(12/22/2015 11:45:01.767:1660581) : argc=3 a0=chmod a1=660 a2=param-MYLHCE01V.swp
type=SYSCALL msg=audit(12/22/2015 11:45:01.767:1660581) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f5b008c2959 a1=0x7f5b008c26c8 a2=0x7f5b008c2828 a3=0x8 items=2 ppid=28254 pid=28355 auid=mysql uid=mysql gid=mysql euid=mysql suid=mysql fsuid=mysql egid=mysql sgid=mysql fsgid=mysql tty=(none) ses=276356 comm=chmod exe=/bin/chmod key=system_commands
Happy new year.
Philippe
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
8 years, 10 months
audit 2.4.5 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add audit.m4 file to aid adding support to other projects
- Fix C99 inline function build issue
- Add account lock and unlock event types
- Change logging loophole check to geteuid()
- Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
- Fix ausearch to parse FEATURE_CHANGE events
This release fixes disk flushing to work as it was intended. If you use either
the data or sync mode, you might notice a performance change.
This release also fixes a build issue when using a new compiler.
The loophole that we allow for a process to continue when it should fail was
changed to use the euid rather than the uid. This should be more correct based
on the capabilities man page.
Ausearch was having problems parsing AUDIT_PROCTITLE and FEATURE_CHANGE
events. This was cleaned up and now passed the ausearch-test test suite.
This release will also be the beginning point of a new branch, audit-2.4, that
will be lightly maintained for a while. At this point I don't think there will
be a 2.4.6 release, but you never know.
Going forward to the 2.5 release, I would like to make a lot of changes to the
rules and break them up into small ones that can be assembled by augenrules. I
will also restructure a few of the directories and get things ready to start
doing more with the data format. The audit by process name patch will be
applied real soon since a kernel with that work should be landing soon.
Please let me know if you run across any problems with this release.
-Steve
8 years, 10 months