Announcing audit-viewer
by Miloslav Trmač
Hello,
audit-viewer is now available in Fedora 9. It is a GUI for viewing
audit logs and running simple reports on them, intended as an ueasy to
use alternative to ausearch and aureport. To see what audit-viewer can
do, please read
https://fedorahosted.org/audit-viewer/wiki/AuditViewerTour .
The program is still under development, more features (graphs in
particular) and more polish is planned. I'll be grateful for any
feedback (what works well, what doesn't work, what is difficult to do or
unintuitive).
To install audit-viewer on Fedora, run (yum install audit-viewer). Then
you'll find it in the System/Administration menu as "Audit Logs".
To build audit-viewer on other distributions, you'll need the source
code available at https://fedorahosted.org/audit-viewer/ . audit-viewer
depends on python-gtkextra, and the last release of python-gtkextra
doesn't build on recent systems. You may find the patch at
http://cvs.fedora.redhat.com/viewcvs/devel/python-gtkextra/ useful.
Mirek
16 years, 7 months
ausearch notes
by LC Bruzenak
audit-1.7.4-1.fc9.x86_64
The "-i" flag on ausearch appears to remove the "node=" info when the
type!=UNKNOWN:
[root@hugo sbin]# ausearch -ts today | grep -i welcome
...
node=hugo type=UNKNOWN[2800] msg=audit(1212175003.754:11074): user
pid=20597 uid=0 auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c1023
msg='*C* 5/30 19:16:43 comms 20836 audit test: Welcome to audit test
LCB3 : exe="/opt/jcdx/sbin/SecureSyslog" (hostname=comms,
addr=192.168.31.60, terminal=? res=failed)'
node=hugo type=TRUSTED_APP msg=audit(1212175342.808:11387): user
pid=21612 uid=0 auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c1023
msg='*C* 5/30 19:22:22 comms 21615 audit test: Welcome to audit test
LCB3 : exe="/opt/jcdx/sbin/SecureSyslog" (hostname=comms,
addr=192.168.31.60, terminal=? res=failed)'
...
[root@hugo sbin]# ausearch -i -ts today | grep -i welcome
...
node=hugo type=UNKNOWN[2800] msg=audit(05/30/2008 14:16:43.754:11074) :
user pid=20597 uid=root auid=root
subj=root:staff_r:staff_t:s0-s15:c0.c1023 msg='*C* 5/30 19:16:43 comms
20836 audit test: Welcome to audit test LCB3 :
exe=/opt/jcdx/sbin/SecureSyslog (hostname=comms, addr=192.168.31.60,
terminal=? res=failed)'
type=TRUSTED_APP msg=audit(05/30/2008 14:22:22.808:11387) : user
pid=21612 uid=root auid=root subj=root:staff_r:staff_t:s0-s15:c0.c1023
msg='*C* 5/30 19:22:22 comms 21615 audit test: Welcome to audit test
LCB3 : exe=/opt/jcdx/sbin/SecureSyslog (hostname=comms,
addr=192.168.31.60, terminal=? res=failed)'
...
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 7 months
ausearch from cron
by Kurt S Harris
When I run an ausearch from a cron in RedHat 5.1 I don't get any output,
running the same command from the command line I get results. Any ideas
on what I'm missing?
output:
<no matches>
May 29 09:36:01 magenta last message repeated 3 times
May 29 09:36:01 magenta logger: AuditSearch: -ts 09:35:00 -te 09:36:00
May 29 09:36:01 magenta logger:
crontab:
* * * * 1-5 /usr/sbin/logaudit >> /var/log/messages 2>>/var/log/messages
logaudit:
#!/bin/bash
logaudit(){
ctime=$(/bin/date '+%T')
min=$(echo ${ctime}|cut -f2 -d:)
if [ "${min}" = "00" ];then
Args=$(echo ${ctime} | /bin/awk -F : '{print "-ts "$1 -1 ":59:00
-te "$1":"$2":00"}')
else
Args=$(echo ${ctime} | /bin/awk -F : '{print "-ts "$1":" $2 - 1
":00 -te "$1":"$2":00"}')
fi
echo -e "\nAuditSearch:" $Args
/sbin/ausearch ${Args} -i >> /var/log/messages 2>>/var/log/messages
echo -e "\n\n"
}
logaudit | /usr/bin/logger -p auth.alert
16 years, 7 months
aureport summary
by LC Bruzenak
Here is my report:
[root@hugo audit]# aureport --summary
Summary Report
======================
Range of time in logs: 05/27/2008 12:04:31.669 - 05/28/2008 18:14:56.100
Selected time for report: 05/27/2008 12:04:31 - 05/28/2008 18:14:56.100
Number of changes in configuration: 174
Number of changes to accounts, groups, or roles: 0
Number of logins: 5
Number of failed logins: 1
Number of authentications: 25
Number of failed authentications: 1
Number of users: 2
Number of terminals: 16
Number of host names: 8
Number of executables: 114
Number of files: 19536
Number of AVC's: 1007
Number of MAC events: 25
Number of failed syscalls: 1283
Number of anomaly events: 107
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 14
Number of process IDs: 1473
Number of events: 37218
IIUC the last line - number of events - should be the sum of all the
previous.
However, adding up the events (barring OE) before that comes to 23791. I
guess there are overlaps too - for example, the keys are possibly also
in syscall events?
Are some events missing on purpose?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 7 months
Using the audit system for non-security events
by Eric Paris
The userspace group is attempting to write new applications which will
dynamically profile system startup and preload applications and data so
that they are hot in the kernel when they are needed.
http://fedoraproject.org/wiki/Features/30SecondStartup/ReadAheadReloaded
They need to see all of the exec and open calls from the system so they
can profile what is needed. They discovered that the audit system does
exactly what they need except one problem. It writes all of the exec
and open call records to disk which very quickly gets too large. All
they want is a way to tell the audit system to send a message to the
audit dispatcher but not to log to disk. This isn't so easy as it means
that audit has to somehow parse the messages rather than just quickly
write them.
Since the plan is to always have the audit system always emit these
rules on all non-server type systems it really isn't reasonable to have
them written to disk. We suggested they look at system-tap, which was
able to give them the information, but it meant compiling a kernel
module for every kernel and had all sorts of maintenance nightmares
(from what I'm told) so they came back to me.
What I'm considering is a new 'flag' which audit rules can be loaded
with which indicates to use the new 'no-log' netlink socket. The kernel
would then have 2 netlink sockets. One will continue to talk to auditd
the other straight to a dispatcher. No changes will be made in any way
to the way we handle messages or panic on message loss to the 'normal'
audit queue. I'm thinking the second netlink socket will be a 'best
effort' audit system. Messages may be dropped without indication it
should run at a lower priority, blah blah blah. It would allow the very
flexible and powerful audit system to be used for profiling and data
collection for non-security relevant applications.
I want thoughts on such a proposal. Obviously I'm going to ahve to put
some real thought/care into how to handle 'overlapping' rules between
security and non-security and stuff like that, but as a general idea
what do people think?
-Eric
16 years, 7 months
audit_log_user_message question
by LC Bruzenak
In looking at the user application audit I'm wondering why there is a
"hostname" field there?
I understand the obvious answer but would think I'd trust the auditd or
audispd more than an application for the hostname answer, and those
would be consistent.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
16 years, 7 months
audit 1.7.4 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Fix interpreting of keys in syscall records
- Interpret audit rule config change list fields
- Don't error on name=(null) PATH records in ausearch/report
- Add key report to aureport
- Fix --end today to be now
- Added python bindings for auparse_goto_record_num
- Update system-config-audit to 0.4.7 (Miloslav Trmac)
- Add support for the filetype field option in auditctl
- In audispd boost priority after starting children
This release is a mix of bug fixes and new features. The bug fixes are what is
driving the release earlier than what I'd like. I was doing some testing and
found that a lot of keys were not being interpreted correctly. I think many
were coming back as (null) which looks pretty normal if you don't use the
keys. Anyways, this is fixed.
I also found that ausearch/report were not processing some events correctly
when the PATH record's name field was (null). The result of this was that the
event was being discarded in search results.
With the new interest in keys, I added a key report to aureport. This presents
a listing of what keys & quantities have been found in a given time frame.
During testing of that, I found that "--end today" was not behaving as I
expected. I really think that when you do aureport --start yesterday --end
today, you should see events from yesterday at midnight until now.
I added an interpretation for the list in audit watch add/delete events. This
will now print the list's name like exit,entry, user, etc.
This release also adds support for a new rule field in he 2.6.26 kernel. If
you wanted to audit setting the execute bit via the chmod syscal, you would
normally write a rule something like this:
-a always,exit -S chmod -F a1&0111
but the problem is that this will trigger on chmod 0755 of directories which
is pretty common if you want the directory to be searchable. So we added a
new option to let you specify what the object's type is, filetype. The new
rule would look like this:
-a always,exit -S chmod -F a1&0111 -F filetype=file
filetype can be file, dir, socket, symlink, char, block, or fifo.
And last item I wanted to comment on was the change in priority boost for
audispd. I moved the call to nice() until after the child processes were
started. This is because audispd should not have to fight with its children
for time slices at the higher priority. It has an internal queue that can be
extended by admin configurable parameters. The children are now started with
the priority inherited from auditd.
Please let me know if you run across any problems with this release.
-Steve
16 years, 7 months
Viewing Auditd LOG format (RHEL 4 Workstation: 64bit Kernel 2.6.9-67)
by McCarthy, John D.
Is there a way to view/change the Auditd log format so when I view the
logs they are more user friendly to read? I think the auditd.conf file
format is FORMAT=RAW, is this the setting and if so can I change it so
my logs are less complicated to read. The other log files (SYSTEM or
SECURITY) are user easy enough to read; its just the auditd.log files
are complicated.
Thank You
John D. McCarthy
Information Assurance Principal Engineer
General Dynamics AIS
5200 Springfield Pike Suite 200
Dayton, Ohio 45431-1289
Phone: 937-476-2619
Fax: 937-476-2542
16 years, 7 months
NISPOM Auditing
by Mathis, Jim
Hello,
I need to log file edit attempts when a user doesn't have permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## unauthorized change directory (cd)
-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
## Watch Files
-w /var/log/audit/audit.log -p rwxa -k audit-log2
Thanks
-Jim
16 years, 7 months
Way too many logs!
by Jeremy Leonard
Here are the rules I'm using:
-D
-b 8096
-a exit,always -S open -F success=0 -k RULE1
-a exit,always -S unlink -S rmdir -k RULE2
-w /etc/auditd.conf -k RULE3
-w /etc/audit.rules -k RULE4
-a exit,always -S acct -S reboot -S swapon -k RULE5
-a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6
-a exit,always -S sched_setparam -S sched_setscheduler -k RULE7
-a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8
-a exit,always -S lchown -k RULE9
Here is the output of aureport:
Summary Report ======================
Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266
Number of changes in configuration: 22
Number of changes to accounts, groups, or roles: 0
Number of logins: 0 Number of failed logins: 0
Number of users: 2 Number of terminals: 4 Number of host names: 2
Number of executables: 33 Number of files: 693
Number of AVC denials: 0 Number of MAC events: 0
Number of failed syscalls: 4052
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 1428
Number of events: 1444530
This is 475mb in ten minutes!
Here is how the rule hits add up:
RULE1: 4052
RULE2: 601
RULE3: 9
RULE4: 1
RULE5: 0
RULE6: 40
RULE7: 1438239
RULE8: 1503
RULE9: 0
Here is one of the log entries I have so many of.
type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect per=400000 success=yes exit=0 a0=13 a1=f692e220 a2=0 a3=0 items=0 ppid=1 pid=4012 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=savd exe=/opt/sophos-av/engine/_/savd.0 subj=unconstrained key="RULE7"
How can I exclude this so it doesn't get logged?
The rules I have above are required by the government. DIACAP STIG
Thanks!
16 years, 7 months