On Wednesday 03 December 2008 09:57:48 Loredan Stancu wrote:
> >> 1. audisp-prelude plugin is not generating events when a user is
> logged
> >> in.
> >
> > Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN
> > Without that, you won't see anything.
>
> This is the problem that no USER_LOGIN appears in the log file. No
> events
> are generated when a user is logged in.
You likely need to compile openssh with a "--with-linux-audit" option to
the
configure line. If your distribution does not have the openssh audit
patch, you
can find it here:
http://cvs.fedora.redhat.com/viewvc/devel/openssh/openssh-4.7p1-
audit.patch?revision=1.1
Another question: Can auditd generate events when a user is logging in
using ssh? That implies ssh use pam? I ask this because I want use audit
in a production server and I'm not allowed to manually install packages. I
am allowed to only use emerge to install packages. At this moment I do not
have a USE flag(gentoo specific) corresponding to --with-linux-audit.
@Steve :) : Can you help me please with audisp-remote? I'll explain again
what I want to do:
Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
M3 is a centralized machine events. On M1 and M2 runs auditd and
audisp-remote.
audisp-remote sends events to M3. I know how to configure auditd and
audisp-remote on M1 and M3. What I don't know is what should I do on M3 so
that it can receive events from M1 and M2 and store this events in regular
file.
After this is clarified I'll see haw should I do to separate events based
on the node machine(M1 and M2).
> >> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager
> >
> > For which event? The loginuid is mostly what I concentrated on since
> that
> > tells you how they got into the machine.
>
> For any events. I am using prelude-manager and prewikka and I can't see
> any uid or gid of any events.
I'll check what I'm collecting. But I'm sure that loginuid should be there
whenever its relevant.
> >> 3. No events are generate for watched files/exec/mk_exe if no tow -k
> >> options are specified in the rule. One of the -k options should
> contain
> >> '-k ids-type-severity' and another -k may contain anything. If you
> >> specify
> >> only one -k options no events are generated.
> >
> > You need 2 rules to cover this:
> >
> > auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F
> > filetype=file
> > -k ids-mkexe-hi
> > auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111'
> > -F filetype=file -k ids-mkexe-hi
> >
> > It works fine on my system. Also note that it depends on having a
> recent
> > kernel.
>
> On Gentoo linux I'm using kernel version 2.6.26-gentoo-r3 and on Debian
> system I'm using kernel version 2.6.26-1-686
> In both kernels I have support for audit and inotify.
And you are able to load and list the 2 rules I sent above? Can you find
the
results with ausearch --start today -k mkexe -m SYSCALL ? You might also
strace the app that's making executables that you are trying to catch to
make
sure you have a rule that will catch it.
Yes, I could load that rules and this is what si loaded when a file gets
eecution rights:
type=SYSCALL msg=audit(1228324240.067:14): arch=40000003 syscall=306
success=yes exit=0 a0=ffffff9c a1=80550b8 a2=1ed a3=80550b8 items=1
ppid=7828 pid=16847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chmod"
exe="/bin/chmod" key="ids-mkexe-hi"
type=CWD msg=audit(1228324240.067:14): cwd="/usr/local/audit"
type=PATH msg=audit(1228324240.067:14): item=0
name="/home/darkone/testfile" inode=65247 dev=08:03 mode=0100644 ouid=1000
ogid=1000 rdev=00:00
> >> Another question is how I can use audisp-remote to send
events
> somewhere
> >> remote?
I think I answered this in the other email, but to be clear, the
audisp-remote
plugin wants to talk to a remove audit daemon. So the chain of custody for
an
event looks like:
kernel->auditd->audispd->audisp-remote->auditd->file
-Steve