4:45 p.m.
On Monday, August 21, 2017 12:01:43 PM EDT Maupertuis Philippe wrote:
Hi,
I was toying with the audit pci configuration.
I opened a root session with sudo in which I just typed C-r nss to retrieve
the command "less /etc/nsswitch.conf" from the bash_history. The text
format, as shown below, doesn't handle correctly the tty_audit
information. Is it a known limitation ?
Ausearch format text
On yppcil51s.sys.meshcore.net at 10:23:34 21/08/17 fr18358, acting as root,
successfully changed-identity-of /usr/bin/sudo using setresuid On
yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as root,
typed On yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as
root, did-unknown On yppcil51s.sys.meshcore.net at 10:24:14 21/08/17
fr18358, acting as root, successfully ended-session /dev/pts/0
Yes, this was an omission. I checked in code that support TTY auditing today.
Ausearch -I format raw
----
node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(21/08/17
10:23:34.400:20501) : proctitle=sudo -i node=yppcil51s.sys.meshcore.net
type=SYSCALL msg=audit(21/08/17 10:23:34.400:20501) : arch=x86_64
syscall=setresuid success=yes exit=0 a0=root a1=root a2=root
a3=0x7fab09de8300 items=0 ppid=20742 pid=20743 auid=fr18358 uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=pts0 ses=1287 comm=sudo exe=/usr/bin/sudo
key=10.2.5.b-elevated-privs-session ----
node=yppcil51s.sys.meshcore.net type=USER_TTY msg=audit(21/08/17
10:24:08.661:20503) : pid=20743 uid=root auid=fr18358 ses=1287 data="less
/etc/nsswitch.conf" ----
node=yppcil51s.sys.meshcore.net type=TTY msg=audit(21/08/17
10:24:08.661:20502) : tty pid=20743 uid=root auid=fr18358 ses=1287
major=136 minor=0 comm=bash data=<^R>,"nss",<ret> ----
node=yppcil51s.sys.meshcore.net type=USER_END msg=audit(21/08/17
10:24:14.479:20506) : pid=20742 uid=root auid=fr18358 ses=1287
msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct=root
exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/0 res=success'
ausearch format raw
node=yppcil51s.sys.meshcore.net type=SYSCALL
msg=audit(1503303814.394:20497): arch=c000003e syscall=117 success=yes
exit=0 a0=0 a1=ffffffff a2=ffffffff a3=7fab09de8300 items=0 ppid=20717
pid=20742 auid=3318358 uid=0 gid=20599 euid=0 suid=0 fsuid=0 egid=20599
sgid=20599 fsgid=20599 tty=pts0 ses=1287 comm="sudo"
exe="/usr/bin/sudo"
key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid
AUID="fr18358" UID="root" GID="nobody"
EUID="root" SUID="root" FSUID="root"
EGID="nobody" SGID="nobody" FSGID="nobody"
node=yppcil51s.sys.meshcore.net
type=PROCTITLE msg=audit(1503303814.394:20497): proctitle=7375646F002D69
node=yppcil51s.sys.meshcore.net type=SYSCALL
msg=audit(1503303814.400:20501): arch=c000003e syscall=117 success=yes
exit=0 a0=0 a1=0 a2=0 a3=7fab09de8300 items=0 ppid=20742 pid=20743
auid=3318358 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo"
key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid
AUID="fr18358" UID="root" GID="root" EUID="root"
SUID="root" FSUID="root"
EGID="root" SGID="root" FSGID="root"
node=yppcil51s.sys.meshcore.net
type=PROCTITLE msg=audit(1503303814.400:20501): proctitle=7375646F002D69
node=yppcil51s.sys.meshcore.net type=USER_TTY
msg=audit(1503303848.661:20503): pid=20743 uid=0 auid=3318358 ses=1287
data=6C657373202F6574632F6E737377697463682E636F6E66UID="root"
AUID="fr18358"
Additionally, I noticed that ausearch -f /etc/nsswitch.conf doesn't return
anything. It may be working as expected but I doubt it would be very usable
to find out who fiddled with a file.
The -f option picks the file name out of PATH records. It has no way to know
that anything being typed on a console happens to be a file name.
-Steve
Has someone on the list successfully used the PCI rules in an actual
PCI
audit ?
Philippe
!!!*************************************************************************
************ "Ce message et les pi?ces jointes sont confidentiels et
r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre
prot?g? par le secret professionnel. Si vous recevez ce message par erreur,
merci d'en avertir imm?diatement l'exp?diteur et de le d?truire.
L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la
responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de
ce message. Bien que les meilleurs efforts soient faits pour maintenir
cette transmission exempte de tout virus, l'exp?diteur ne donne aucune
garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour
tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely
for the addressee; it may also be privileged. If you receive this e-mail in
error, please notify the sender immediately and destroy it. As its
integrity cannot be secured on the Internet, the Worldline liability cannot
be triggered for the message content. Although the sender endeavours to
maintain a computer virus-free network, the sender does not warrant that
this transmission is virus-free and will not be liable for any damages
resulting from any virus transmitted.!!!"