Audit reporting misses AUDIT_SOCKETCALL (1306) message when 32-bit binary is running form 64-bit machine.
by Kangkook Jee
Hi all,
We are running a 32-bit program on a 64-bit machine (Ubuntu 14.04, 3.13.0-57-generic kernel - x86_64) typically issuing network related system calls which, in turn, would invoke the one of socketcall() system call.
However, an expected audit raw message -- AUDIT_SOCKETCALL (1304) is reported when we run the 32-bit binary from a 64-bit machine. The following is the raw audit messages captured for connect() system from a 64-bit machine running 32-bit binary.
MSG (1300): audit(1462273146.351:21482453): arch=40000003 syscall=102 success=no exit=-2 a0=3 a1=ffe38240 a2=f7751000 a3=4 items=0 ppid=10269 pid=10755 auid=19287 uid=19287 gid=19287 euid=19287 suid=19287 fsuid=19287 egid=19287 sgid=19287 fsgid=19287 tty=pts16 ses=12 comm="conn" exe="/home/accountname/32bit_test/conn" key=(null)
MSG (1306): audit(1462273146.351:21482453): saddr=01002F7661722F72756E2F6E7363642F736F636B657400B7160054B7160054B71600130000001300000004000000010000000100000000000000000000000000000028791A0028791A000500000000100000CD5D77F734D676F748A15BF7D4811A00E82C0000A858000006000000
MSG (1320): audit(1462273146.351:21482453):
And this is the raw audit message captured from a 32-bit machine (CentOS 5 2.6.18-404.el5 i686) running 32-bit binary.
MSG (1300): audit(1462289555.340:807319): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfef25b0 a2=67dff4 a3=816840 items=0 ppid=28509 pid=28560 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=10 comm="conn" exe="/home/kjee/conn" subj=user_u:system_r:unconfined_t:s0 key=(null)
MSG (1306): audit(1462289555.340:807319): saddr=020000358A0F6D630000000000000000000000000000000000000000
MSG (1304): audit(1462289555.340:807319): nargs=3 a0=4 a1=859c4b8 a2=1c
MSG (1320): audit(1462289555.340:807319):•
I hope you to catch the difference. While the first case does not report AUDIT_SOCKETCALL (1304) event, but the second case report the entry providing the list of arguments starting with "nargs=".
Could you tell me whether this is an expected behavior? Or is there any way that I can fix it?
I'm attaching the source code of the test program (conn.c) and summarizes the procedure to reproduce the problem. If you have any difficulty producing the issue, please let me know.
1. we added the following the audit rules from a 64-bit machine. It is intended to capture events from both 64-bit and 32-bit system calls.
/sbin/auditctl -a exit,always -F arch=b64 -S clone -S close -S creat -S dup -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat -S rename -S renameat -S unlink -S unlinkat -S vfork -S 288 -S accept -S connect -S listen -S socket -S socketpair
/sbin/auditctl -a exit,always -F arch=b32 -S clone -S close -S creat -S dup -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat -S rename -S renameat -S unlink -S unlinkat -S vfork
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=3 # connect
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=4 # listen
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=5 # accept
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=8 # socketpair
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=18 # accept4
$ sudo auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=open,close,dup,dup2,socket,connect,accept,listen,socketpair,clone,fork,vfork,execve,exit,rename,creat,unlink,exit_group,openat,unlinkat,renameat,accept4,dup3
LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=exit,fork,open,close,creat,unlink,execve,rename,dup,dup2,clone,vfork,exit_group,openat,unlinkat,renameat,dup3
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=1 (0x1) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=3 (0x3) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=4 (0x4) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=5 (0x5) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=8 (0x8) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=18 (0x12) syscall=socketcall
2. We added the following the audit rules from a 32-bit machine.
/sbin/auditctl -a exit,always -F arch=b32 -S clone -S close -S creat -S dup -S dup2 -S dup3 -S execve -S exit -S exit_group -S fork -S open -S openat -S rename -S renameat -S unlink -S unlinkat -S vfork
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=2
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=3
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=4
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=5
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=8
/sbin/auditctl -a exit,always -F arch=b32 -S socketcall -F a0=18
LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=exit,fork,open,close,creat,unlink,execve,rename,dup,dup2,clone,vfork,exit_group,openat,unlinkat,renameat,dup3
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=1 (0x1) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=2 (0x2) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=3 (0x3) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=4 (0x4) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=5 (0x5) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=8 (0x8) syscall=socketcall
LIST_RULES: exit,always arch=1073741827 (0x40000003) a0=18 (0x12) syscall=socketcall
3. Build conn.c source and running
conn.c is a simple connection client.
$ cc -o conn conn.c
$ ./conn <remote_host> <port>
Example run
$ ./conn localhost 22
$ Please enter the message: this is random message
SSH-2.0-OpenSSH_4.3
Thanks a lot for your help in advance.
8 years, 5 months
audit-tools and SUDO
by Warron S French
Good morning everyone,
I am working on an environment where I have managed to get centralized audit logging to work - roughly 95% properly on six (6) CentOS-6.7 workstations and a single (1) CentOS-6.7 server.
I have two problems though; and they seem somewhat minor:
1. The audit events being captured don't seem to be tied to any given node (so that I can perform ausearch --node hostName, or aureport), that's the first issue.
2. The second issue is that I need to configure sudo to enable my Special Security Team with the ability to perform their duties using the aureport and the ausearch commands, but I get an error that appears to be based on permissions.
I am hoping that you guys can steer me in the correct direction; and I can update my documentation to be even a little more thorough.
Scenario2, might be more of a membership issue now that I think about it; so please disregard as I think this is some weird 389-ds issue.
I am hoping though that someone can suggest a reason why, when I look directly at the content of the /var/log/audit/audit.log I am not see any references to node=hostname1, hostname2 .. hostnameN? Maybe I did misconfigure something, but I followed my own instructions to the "T" and they didn't produce this issue.
Thank you in advance for your precious time sincerely,
Warron French, MBA, SCSA
8 years, 5 months
How to Audit ssh Commands --> wget, scp
by varun gulati
Hi Team,
We have requirement where we have to monitor and log any read operations performed on a file.
e.g. /a/b/c/xyz.log
This file is usually copied and downloaded by many users using various operations, like, wget, ssh, jsp Download link provided. These commands are fired from different hosts.
With the auditd we want to create a rule which auditctl can leverage to log the User ID that is reading (and copying) it from a different host may be. I have gone through many of the rules but didn't find anything fruitful as such (which logs wget, scp commands from remote hosts). May be I am missing on something. Since it is a very crucial requirement, appreciate your guidance and directions with this.
Let me know in case you require any further information from my end. Many thanks in advance.
Thanks and Regards,Varun Gulati
8 years, 5 months
Re: audit 2.5.1 released
by Manuel Scunthorpe
Dear Steve,thanks for your helpful observations. I was able to modify the PKGBUILD and successfully build the package, and then build e4rat-lite which was my ultimate aim. Sadly it didn't seem to work in Arch Linux due to the kernel config options, e4rat-lite-collect didn't collect anything, complained about being unable to log anything due to a bad file descriptor and there was a message at boot saying Cannot open audit socket, which was similar to what auditctl said in the terminal. Of course it might work and I've got something else wrong, it doesn't look encouraging though without CONFIG_AUDIT enabled. But I was just looking at my Void Linux kernel options:CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
This looks more promising so I will have to try it here instead sometime, although what I will have to build to fulfill the various builddeps I don't yet know. Would it be OK if I tried to make an 'audit' package for Void Linux if they want one? There isn't one in the repo at present, so if I get a working build then I might as well share it. It could take a while to get to that point though, and that's assuming I can get everything to work in Void and don't end up using some other readahead utility altogether or accidentally corrupting my filesystem. But I can be happy I'm building audit correctly now.I will try and pass on your comments about zos servers and openldap-devel to the Arch packagers as I can only take credit for the confusion over the systemd support option in my earlier PKGBUILD.
Here's my successful modified PKGBUILD with the correct checksum for 2.5.1, which downloads and builds cleanly:# Edit /etc/makepkg.conf: staticlibs not !staticlibs or they are deleted by makepkg.
# $Id: PKGBUILD 146469 2015-11-10 05:04:55Z thestinger $
# Maintainer: Daniel Micay <danielmicay(a)gmail.com>
# Contributor: <kang(a)insecure.ws>
# Contributor: Massimiliano Torromeo <massimiliano.torromeo(a)gmail.com>
# Contributor: Connor Behan <connor.behan(a)gmail.com>
# Contributor: henning mueller <henning(a)orgizm.net>
pkgname=audit
pkgver=2.5.1
pkgrel=1
pkgdesc='Userspace components of the audit framework'
url='https://people.redhat.com/sgrubb/audit'
arch=(i686 x86_64)
depends=(krb5 libcap-ng)
makedepends=(libldap swig linux-headers python)
license=(GPL)
options=(emptydirs)
groups=('modified')
backup=(
etc/libaudit.conf
etc/audit/auditd.conf
etc/audisp/audispd.conf
etc/audisp/audisp-remote.conf
etc/audisp/plugins.d/af_unix.conf
etc/audisp/plugins.d/au-remote.conf
etc/audisp/plugins.d/syslog.conf
)
source=("$url/$pkgname-$pkgver.tar.gz")
sha256sums=('3c6ec72d8c16d1e85cc2b9c260cc6440319eb294cb54ca41a7bbe9283cc9f421')
install=$pkgname.install
build() {
cd $pkgname-$pkgver
export PYTHON=/usr/bin/python3
./configure \
--prefix=/usr \
--sbindir=/usr/bin \
--sysconfdir=/etc \
--libexecdir=/usr/lib/audit \
--with-python=yes \
--enable-gssapi-krb5=yes \
--enable-systemd=no \
--with-libcap-ng=yes \
--disable-zos-remote \
--enable-static=yes
make
}
package() {
cd $pkgname-$pkgver
make DESTDIR="$pkgdir" install
cd "$pkgdir"
install -d var/log/audit
rm -rf etc/rc.d etc/sysconfig usr/lib/audit
sed -ri 's|/sbin|/usr/bin|' \
etc/audit/*.conf \
etc/audisp/plugins.d/*.conf
8 years, 5 months
audit review question
by Warron S French
Hello, I hope you all are well and meeting your own professional challenges very well.
I have a scenario that I need a little help understanding how to work through in an isolated environment of 1 server and 6 workstations (7 machines).
The 7 machines are all running CentOS-6.7 and selinux = disabled.
All 6 workstations are configured through rsyslog.conf to send audit data to the server, and I have (but apparently not successfully configured general system messages to also report back to the same server).
I am using the conventional filesystems for each, but the directory structure below is different.
For audit, I use, /var/log/audit/2016/04/27/wk{1..6}_audit.log the directory per day and per month and per year are auto created (miraculously).
For system messages, and I know this isn't the forum to get help on this so I will only list the directory is - /var/log/2016/04/27/wk{1..6}_syslog.log.
Now that I am doing this, and successfully, I want to test that the security auditors will be able to do their job properly, as well as I am trying to comply with some security constraint that requires me to centralize the logdata into a single server (hence the major driver for all of this).
I know that there is the aureport and ausearch command, but I am not sure that I am able to figure out the correct command-line structure to test that audit-data is getting into the appropriate file, on each day of the year, on a per serverName basis.
If a real-world situation occurred that the Security Auditors were asking to find out how many machines did userX attempt to log into, what would be the appropriate command for the example audit directory I listed above (/var/log/audit/2016/04/27/wk{1..6}_audit.log), because I am not sure I am running the command with the appropriate switches to scan the files properly?
I used:
* aureport -if /var/log/audit/2016/04/27/ and it didn't like the input,
* aureport -if /var/log/audit/2016/04/27/* and it didn't like the input,
am I using the command improperly?
Warron French, MBA, SCSA
8 years, 6 months
Exported symbols removed in 2.5.2
by Laurent Bigonville
Hello,
In debian, during the build of a package, we have a tool checking if
symbols are removed from shared librearies.
With the 2.5.2 release, I get the following output:
--- debian/libauparse0.symbols (libauparse0_1:2.5.2-1_amd64)
+++ dpkg-gensymbolsmB_9P2 2016-05-03 15:01:10.606713310 +0000
@@ -1,7 +1,7 @@
libauparse.so.0 libauparse0 #MINVER#
au_terminate_all_events@Base 1:2.5.1
- audit_strsplit@Base 1:2.4.2
- audit_strsplit_r@Base 1:2.4.2
+#MISSING: 1:2.5.2-1# audit_strsplit@Base 1:2.4.2
+#MISSING: 1:2.5.2-1# audit_strsplit_r@Base 1:2.4.2
auparse_add_callback@Base 1:2.2.1
auparse_destroy@Base 1:2.2.1
auparse_do_interpretation@Base 1:2.3.1
@@ -49,4 +49,4 @@
ausearch_clear@Base 1:2.2.1
ausearch_next_event@Base 1:2.2.1
ausearch_set_stop@Base 1:2.2.1
- set_escape_mode@Base 1:2.4.4
+#MISSING: 1:2.5.2-1# set_escape_mode@Base 1:2.4.4
dpkg-gensymbols: warning: some symbols or patterns disappeared in the
symbols file: see diff output below
dpkg-gensymbols: warning: debian/libaudit1/DEBIAN/symbols doesn't match
completely debian/libaudit1.symbols
--- debian/libaudit1.symbols (libaudit1_1:2.5.2-1_amd64)
+++ dpkg-gensymbolsQATT_C 2016-05-03 15:01:10.802717308 +0000
@@ -56,7 +56,7 @@
audit_rule_syscall_data@Base 1:2.2.1
audit_rule_syscallbyname_data@Base 1:2.2.1
audit_send@Base 1:2.2.1
- audit_send_user_message@Base 1:2.2.1
+#MISSING: 1:2.5.2-1# audit_send_user_message@Base 1:2.2.1
audit_set_backlog_limit@Base 1:2.2.1
audit_set_backlog_wait_time@Base 1:2.4.2
audit_set_enabled@Base 1:2.2.1
Is that expected that these 4 symbols have been removed?
Cheers,
Laurent Bigonville
8 years, 6 months