Best means of capturing audit changes to a certain filename under a path subtree? aka wildcard file watches
by Robin H. Johnson
Hi,
In the wake of the kernel.org attack, we're brushing up our security at
Gentoo (I lead our infrastructure/IT team for Gentoo services). One of
our self-identified weaknesses is auditing of changes to files used
elsewhere in our automated verification processes.
The audit subsystem gives a great general way to do this, but I can't
identify how best to audit changes to a file when the entire path is not
known ahead of time.
It seems that it would best be accomplished with wildcards:
/var/db/pkg/*/*/CONTENTS
However, the last email on the ilst about wildcards, was from Steve,
back in March 2006, responding to somebody asking about wildcard
support, and Steve answered that it was potentially coming via a new
patch. I think that patch was inotify, and inotify doesn't support
wildcards.
Since it seems to not be natively possible, what is the most efficient
way of auditing those file changes? (They comprise some 2000 files out
of 60k in that tree).
--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2(a)gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
13 years, 3 months
Getting Process name instead of PPID
by nehal dattani
Hi,
I have a strange issue with iptables on my server. It was getting loaded
automatically even if i stopped it. I set auditing but couldn't find what
REALLY triggers iptables.
Here's snip from ausearch output
----
time->Thu Sep 8 20:12:35 2011
type=PATH msg=audit(1315492955.754:891146): item=1 name=(null)
inode=17465407 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1315492955.754:891146): item=0 name="/sbin/iptables"
inode=32210958 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1315492955.754:891146): cwd="/root"
type=EXECVE msg=audit(1315492955.754:891146): argc=2 a0="iptables" a1="-L"
type=SYSCALL msg=audit(1315492955.754:891146): arch=c000003e syscall=59
success=yes exit=0 a0=1c70fbc0 a1=1c6ff6f0 a2=1c6effe0 a3=8 items=2
ppid=11061 pid=11622 auid=11001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=92491 comm="iptables" exe="/sbin/iptables"
key="iptable_load_audit"
----
time->Thu Sep 8 20:23:28 2011
type=PATH msg=audit(1315493608.196:891434): item=1 name=(null)
inode=17465407 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1315493608.196:891434): item=0 name="/sbin/iptables"
inode=32210958 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1315493608.196:891434): cwd="/"
type=EXECVE msg=audit(1315493608.196:891434): argc=9 a0="/sbin/iptables"
a1="--table" a2="nat" a3="--delete" a4="POSTROUTING" a5="--source" a6="
192.168.122.0/255.255.255.0" a7="--jump" a8="MASQUERADE"
type=SYSCALL msg=audit(1315493608.196:891434): arch=c000003e syscall=59
success=yes exit=0 a0=5527080 a1=5530840 a2=7fffcda0bf60 a3=3ce1e16220
items=2 ppid=5564 pid=17660 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" key="iptable_load_audit"
Notable difference between two entries are of tty. In second, it says
tty=none. based on this,It can be concluded that some application is
accessing iptables. I believe that if i can get name of PPID, it can help me
in tracing this further.
Any advice?
Regards,
Nehal Dattani
13 years, 3 months
auditd questions
by Vipin Rathor
Hi Guys,
My auditd server is getting overwhelm by the logs that it is getting.
I've configured a remote audit logging via audisp-plugin. Earlier I
tried to reduce the amount of logs by optimizing the audit rules. But
we want to reduce it further.
Here's the list of things that I can think to reduce the overwhelming
of logs further:
1. Increase kernel buffer for auditd from 20480 (current) to 99999.
2. Increase the priority of auditd process. Currently 'priority_boost
= 10'. Default is 4. I don't know the maximum value (though I've seen
someone using 12). Can anyone tell me what's the maximum priority I
can give?
3. Optimize the audit messages further:
a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
being audited. This can be done with following rule (Thanks to
Steve!):
-a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
b. Exclude specific processes by their PIDs. This will be tricky as
we will need to keep track of PIDs incase of process
start/stop/restart etc.
Any other idea that I'm missing on this list? Is it possible to filter
the messages based on message pattern matching (like syslog)?
Any help will be much appreciated.
--
-Rathor
13 years, 3 months
auditing ntpd
by Vipin Rathor
Hi (again),
I've this rule in audit.rules file to keep a tab on system time change:
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -F auid!=-1 -k
adjtimex_time-change
And i'm continuously getting these messages in external logging server:
node=<hostname> type=SYSCALL msg=audit(1315476783.281:537763):
arch=c000003e syscall=159 success=yes exit=5 a0=7fff05a77db0 a1=861
a2=0 a3=1 items=0 ppid=1 pid=2551623 auid=0 uid=38 gid=38 euid=38
suid=38 fsuid=38 egid=38 sgid=38 fsgid=38 tty=(none) ses=61352
comm="ntpd" exe="/usr/sbin/ntpd" key="adjtimex_time-change"
After strace'ing the ntpd, I can see the 'adjtimex' system call
getting called continuously:
# strace -p 2551623
Process 2551623 attached - interrupt to quit
select(28, [16 17 18 19 20 21 22 23 24 25 26 27], NULL, NULL, {0,
663331}) = 0 (Timeout)
adjtimex({modes=ADJ_OFFSET|0x8000, offset=0, freq=0,
maxerror=16000000, esterror=16, status=STA_UNSYNC|0x2000, constant=0,
precision=1, tolerance=32768000, time={1315477226, 286574975},
tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0,
calcnt=0, errcnt=0, stbcnt=0}) = 5 (TIME_ERROR)
select(28, [16 17 18 19 20 21 22 23 24 25 26 27], NULL, NULL, {0,
994495}) = 0 (Timeout)
adjtimex({modes=ADJ_OFFSET|0x8000, offset=0, freq=0,
maxerror=16000000, esterror=16, status=STA_UNSYNC|0x2000, constant=0,
precision=1, tolerance=32768000, time={1315477227, 282047022},
tick=10000, ppsfreq=0, jitter=0, shift=0, stabil=0, jitcnt=0,
calcnt=0, errcnt=0, stbcnt=0}) = 5 (TIME_ERROR)
.....
.....
Any pointers on why is this happening? How to resolve this?
I'm using RHEL 6.1 with these audit rpms:
audit-libs-2.1-5.el6.x86_64
audit-2.1-5.el6.x86_64
audispd-plugins-2.1-5.el6.x86_64
Thanks in advance for any help in this regard.
--
-Rathor
13 years, 3 months
help needed: how to exclude a single file from being audited.
by Vipin Rathor
Hi Guys,
I've a situation here. I've put a watch on a directory (e.g. -w /etc).
Due to this, every action on files under this directory are being
audited.
Now I want to exclude a single file in that directory (e.g.
/etc/sysconfig/bash-prompt-xterm), how should I do that?
I tried something like this in my exclude list:
-a exclude,never -F path=/etc/sysconfig/bash-prompt-xterm
But got this error:
Only msgtype field can be used with exclude filter
Any idea, how to exclude a single file from a 'watched' directory?
Many thanks.
--
-Rathor
13 years, 3 months
new auparse question
by LC Bruzenak
I have an issue now with auparse_find_field.
I work around it fine though but maybe it's worth reporting.
There is a place where I do this:
const char *result;
...
result=auparse_find_field(au, "res");
and get a segfault.
If I instead do this:
const char *result;
...
auparse_first_field(au);
result=auparse_find_field(au, "res");
then it is fine.
A quick gdb test shows me :
0x00007ffff7dd2a7d in nvlist_get_cur_name (au=0x617a90, name=0x4022a8
"res") at nvlist.h:40
40 static inline const char *nvlist_get_cur_name(const nvlist *l)
{return l->cur->name;}
Looking at my own code, I believe I previously had walked through the
event record using this loop:
...
auparse_first_field(au);
do {
...
} while (auparse_next_field(au) > 0);
...
and so I guess that the "cur" field was undefined when used the
auparse_find_field call.
It (auparse_find_field) calls:
...
cur_name = nvlist_get_cur_name(&r->nv);
and I guess that's were the problem happened.
So my question is - is this a bug (I would think so) or should I always
precede any auparse call sequence with at least one fresh
auparse_first_field call?
Thx,
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
13 years, 4 months