9:51 p.m.
Hi Team,
I have enabled the audit logs recently ... Currently the auditd daemon is
logging all the event and syscalls done based on default rule set ...
But currently it only record the events done by the root user or by the
sudo ...
Need your help to configure the same for Group wise ... so that i can track
the group wise events done , rather then adding a rule for each individual
users.
--
Thanks & Regards,
- Koresh
9:37 a.m.
What rules are currently installed and what logs are you seeing?
On Oct 17, 2012 5:59 AM, "Koresh..." <koreshkumar(a)gmail.com> wrote:
Hi Team,
I have enabled the audit logs recently ... Currently the auditd daemon is
logging all the event and syscalls done based on default rule set ...
But currently it only record the events done by the root user or by the
sudo ...
Need your help to configure the same for Group wise ... so that i can
track the group wise events done , rather then adding a rule for each
individual users.
--
Thanks & Regards,
- Koresh
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
8:39 p.m.
Hi Peter,
Currently i am tring to achive the same through below configuration on
audit.rules file ...
# Audit all execve calls
-a entry,always -S execve
-a entry,never
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exclude,always -F msgtype=CRED_DISP
But the problem on above rule is, it records all the SYSCALL and EXECV
calls. Which increasing the log file size.
So my question is why normal users audit event logs cant be captured as a
"type=USER_TTY" , where as root logs can be captured similarway.
Some logs for your reference:
type=EXECVE msg=audit(1350523801.169:137779): a0="/usr/lib/sa/sa1"
a1="1"
a2="1"
type=SYSCALL msg=audit(1350523801.169:137780): arch=40000003 syscall=11
success=yes exit=0 a0=86e0ec0 a1=86e08b8 a2=86e0ed8 a3=86e08b8 items=2
ppid=18623 pid=18624 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="sadc" exe="/usr/lib/sa/sadc"
subj=kernel key=(null)
type=EXECVE msg=audit(1350523801.169:137780): a0="/usr/lib/sa/sadc"
a1="-F"
a2="-L" a3="1" a4="1" a5="-"
type=USER_END msg=audit(1350523801.185:137781): user pid=18623 uid=0
auid=4294967295 subj=kernel msg='PAM: session close acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_TTY msg=audit(1350524060.169:137782): user pid=18576 uid=0
auid=655 subj=kernel msg='cat /etc/audit/audit.rules '
type=SYSCALL msg=audit(1350524060.169:137783): arch=40000003 syscall=11
success=yes exit=0 a0=8cc4780 a1=8cc4838 a2=8cbd860 a3=0 items=2 ppid=18576
pid=18625 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="cat" exe="/bin/cat" subj=kernel key=(null)
type=EXECVE msg=audit(1350524060.169:137783): a0="cat"
a1="/etc/audit/audit.rules"
type=USER_TTY msg=audit(1350524156.789:137784): user pid=18576 uid=0
auid=655 subj=kernel msg='tail -f /var/log/audit/audit.log'
type=SYSCALL msg=audit(1350524156.789:137785): arch=40000003 syscall=11
success=yes exit=0 a0=8cc4810 a1=8cc47d0 a2=8cbd860 a3=0 items=2 ppid=18576
pid=18626 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="tail" exe="/usr/bin/tail" subj=kernel key=(null)
type=EXECVE msg=audit(1350524156.789:137785): a0="tail" a1="-f"
a2="/var/log/audit/audit.log"
type=USER_END msg=audit(1350524172.558:137786): user pid=18249 uid=0
auid=1600 subj=kernel msg='PAM: session close acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'
type=SYSCALL msg=audit(1350524176.426:137787): arch=40000003 syscall=11
success=yes exit=0 a0=81f102e8 a1=81f12a60 a2=81f10300 a3=4 items=2
ppid=1045 pid=18627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=kernel key=(null)
type=EXECVE msg=audit(1350524176.426:137787): a0="/usr/sbin/sshd"
a1="-R"
type=USER_ACCT msg=audit(1350524176.642:137788): user pid=18627 uid=0
auid=4294967295 subj=kernel msg='PAM: accounting acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'
type=CRED_ACQ msg=audit(1350524176.642:137789): user pid=18627 uid=0
auid=4294967295 subj=kernel msg='PAM: setcred acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'
type=USER_START msg=audit(1350524176.642:137790): user pid=18627 uid=0
auid=1600 subj=kernel msg='PAM: session open acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'
type=CRED_REFR msg=audit(1350524176.642:137791): user pid=18629 uid=0
auid=1600 subj=kernel msg='PAM: setcred acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'
On Wed, Oct 17, 2012 at 8:07 PM, Peter Moody <pmoody(a)google.com> wrote:
What rules are currently installed and what logs are you seeing?
On Oct 17, 2012 5:59 AM, "Koresh..." <koreshkumar(a)gmail.com> wrote:
>
> Hi Team,
>
> I have enabled the audit logs recently ... Currently the auditd daemon is
> logging all the event and syscalls done based on default rule set ...
>
> But currently it only record the events done by the root user or by the
> sudo ...
>
> Need your help to configure the same for Group wise ... so that i can
> track the group wise events done , rather then adding a rule for each
> individual users.
>
>
> --
>
> Thanks & Regards,
>
> - Koresh
>
>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Thanks & Regards,
- Koresh
6:29 a.m.
----- Original Message -----
So my question is why normal users audit event logs cant be captured
as a "type=USER_TTY" , where as root logs can be captured
similarway.
USER_TTY is sent by the process that accepts the keyboard input.
Unprivileged users are not allowed to send audit records (otherwise they would be able to
fill the queue and/or the log partition, causing a DoS), so the USER_TTY record is
discarded.
Even for unprivileged users you should have the type=TTY records, although they are
noticeably more difficult to interpret.
Mirek
8:35 a.m.
So if i am correct, there is no way we can get the normal user activity
through auditd daemon ...
Or , please suggest the best way to capture the activity logs for normal
users ....
On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr(a)redhat.com> wrote:
----- Original Message -----
> So my question is why normal users audit event logs cant be captured
> as a "type=USER_TTY" , where as root logs can be captured
> similarway.
USER_TTY is sent by the process that accepts the keyboard input.
Unprivileged users are not allowed to send audit records (otherwise they
would be able to fill the queue and/or the log partition, causing a DoS),
so the USER_TTY record is discarded.
Even for unprivileged users you should have the type=TTY records, although
they are noticeably more difficult to interpret.
Mirek
--
Thanks & Regards,
- Koresh
10:33 a.m.
auditctl -a exit,always -S execve -F success=1
will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?
On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar(a)gmail.com> wrote:
So if i am correct, there is no way we can get the normal user activity
through auditd daemon ...
Or , please suggest the best way to capture the activity logs for normal
users ....
On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr(a)redhat.com> wrote:
>
> ----- Original Message -----
> > So my question is why normal users audit event logs cant be captured
> > as a "type=USER_TTY" , where as root logs can be captured
> > similarway.
> USER_TTY is sent by the process that accepts the keyboard input.
> Unprivileged users are not allowed to send audit records (otherwise they
> would be able to fill the queue and/or the log partition, causing a DoS), so
> the USER_TTY record is discarded.
>
> Even for unprivileged users you should have the type=TTY records, although
> they are noticeably more difficult to interpret.
> Mirek
--
Thanks & Regards,
- Koresh
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
10:35 a.m.
Also, from the auditctl manpage:
The following describes the valid actions for the rule:
never No audit records will be generated. This can be used to
suppress event generation. In general, you want suppressions at the
top of the list instead of the bottom. This is because the event
triggers on the first matching rule.
On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody(a)google.com> wrote:
auditctl -a exit,always -S execve -F success=1
will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?
On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar(a)gmail.com> wrote:
>
> So if i am correct, there is no way we can get the normal user activity
> through auditd daemon ...
>
> Or , please suggest the best way to capture the activity logs for normal
> users ....
>
>
>
> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr(a)redhat.com> wrote:
>>
>> ----- Original Message -----
>> > So my question is why normal users audit event logs cant be captured
>> > as a "type=USER_TTY" , where as root logs can be captured
>> > similarway.
>> USER_TTY is sent by the process that accepts the keyboard input.
>> Unprivileged users are not allowed to send audit records (otherwise they
>> would be able to fill the queue and/or the log partition, causing a DoS), so
>> the USER_TTY record is discarded.
>>
>> Even for unprivileged users you should have the type=TTY records, although
>> they are noticeably more difficult to interpret.
>> Mirek
>
>
>
>
> --
>
>
> Thanks & Regards,
>
> - Koresh
>
>
>
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
10:50 a.m.
Whoops, ignore this. I had misread your rules.
On Thu, Oct 18, 2012 at 8:35 AM, Peter Moody <pmoody(a)google.com> wrote:
Also, from the auditctl manpage:
The following describes the valid actions for the rule:
never No audit records will be generated. This can be used to
suppress event generation. In general, you want suppressions at the
top of the list instead of the bottom. This is because the event
triggers on the first matching rule.
On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody(a)google.com> wrote:
> auditctl -a exit,always -S execve -F success=1
>
> will audit log all successful execve(2) calls by all uids. It will
> incur a (possibly significant) performance hit though. Is there a
> particular binary/user about you're concerned?
>
>
>
> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar(a)gmail.com> wrote:
>>
>> So if i am correct, there is no way we can get the normal user activity
>> through auditd daemon ...
>>
>> Or , please suggest the best way to capture the activity logs for normal
>> users ....
>>
>>
>>
>> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr(a)redhat.com> wrote:
>>>
>>> ----- Original Message -----
>>> > So my question is why normal users audit event logs cant be captured
>>> > as a "type=USER_TTY" , where as root logs can be captured
>>> > similarway.
>>> USER_TTY is sent by the process that accepts the keyboard input.
>>> Unprivileged users are not allowed to send audit records (otherwise they
>>> would be able to fill the queue and/or the log partition, causing a DoS), so
>>> the USER_TTY record is discarded.
>>>
>>> Even for unprivileged users you should have the type=TTY records, although
>>> they are noticeably more difficult to interpret.
>>> Mirek
>>
>>
>>
>>
>> --
>>
>>
>> Thanks & Regards,
>>
>> - Koresh
>>
>>
>>
>
>
>
> --
> Peter Moody Google 1.650.253.7306
> Security Engineer pgp:0xC3410038
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
12:02 p.m.
On Thursday, October 18, 2012 08:33:59 AM Peter Moody wrote:
auditctl -a exit,always -S execve -F success=1
will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?
Well, this is not the way we normally do it in the audit world. This would
capture both system and user events. Normally you want to focus on user
events. So, if you correct this rule then you are still faced with it won't
catch sourced files. Or the user could event start python and type the commands
in directly.
So, the way we normally do this is to use the key stroke logging. The main
issue is that you won't get the meaning of up arrows and things like that. I
think there are ways of restricting the history file and in memory history so
that users cannot circumvent it.
-Steve
On Thu, Oct 18, 2012 at 6:35 AM, Koresh...
<koreshkumar(a)gmail.com> wrote:
> So if i am correct, there is no way we can get the normal user activity
> through auditd daemon ...
>
> Or , please suggest the best way to capture the activity logs for normal
> users ....
>
> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr(a)redhat.com> wrote:
>> ----- Original Message -----
>>
>> > So my question is why normal users audit event logs cant be captured
>> > as a "type=USER_TTY" , where as root logs can be captured
>> > similarway.
>>
>> USER_TTY is sent by the process that accepts the keyboard input.
>> Unprivileged users are not allowed to send audit records (otherwise they
>> would be able to fill the queue and/or the log partition, causing a DoS),
>> so the USER_TTY record is discarded.
>>
>> Even for unprivileged users you should have the type=TTY records,
>> although
>> they are noticeably more difficult to interpret.
>>
>> Mirek
>
> --
>
>
> Thanks & Regards,
>
> - Koresh
4447
days inactive
4448
days old
linux-audit@lists.linux-audit.osci.io
8 comments
4 participants
participants (4)
-
Koresh... -
Miloslav Trmac -
Peter Moody -
Steve Grubb