Re: Matching SSHD information in audit logs
On Tuesday, December 17, 2019 12:16:14 PM EST MAUPERTUIS, PHILIPPE wrote:
> > What are the corresponding events in audit ?
>
> I don't think anyone has ever tried to map between syslog and audit. I
> also think that CIS maybe doesn't understand audit and how it works. For
> quite some time, there has been a requirement to log any key lifecycle
> in the audit logs. This means that the DH key exchange and the session
> keys get logged when they are created and when they are destroyed. Also,
> pam logs the session
> beginning and end. And sshd logs any keys that it accepts. So, I think
> the information is there if one wanted or needed to map between them. But
> it should be unnecessary. I'm not sure what CIS is looking for in syslog.
> Because if there is something important in syslog that is not in the
> audit logs, I'd like to know what it is.
>
> > My main concern is with the bold line which indicates how the public
> > key was granted
>
> That should also be in the audit logs.
I find in the audit log which key has been accepted but not that it has
been accepted due to /usr/bin/sss_ssh_authorizedkeys (and not a local
authorized_keys file). In the USER_AUTH message I can see a field
grantors=auth-key but I don't know how to interpret it.
The grantors part comes from pam. It is used to describe what in the pam
stack allowed the access. Sshd should use "pubkey_auth" somewhere in the
event if it granted the access.
I had a look at
https://github.com/linux-audit/audit-documentation/blob/master/specs/field
s/field-dictionary.csv but grantor is not mentioned there I didn't other
fields as well :
From SOFTWARE_UPDATE the fields sw, sw_type, key_enforce are not listed.
The page
https://github.com/linux-audit/audit-documentation/blob/master/specs/messa
ges/message-dictionary.csv doesn't mention the type SOFTWARE_UPDATE Maybe I
am looking at the wrong place, Where should I look ?
This has not been updated in a long time. The source code is where I go to
find the truth about anything. :-)
> > Could you point me to a documentation showing which events
a ssh login
> > would generate ?
>
> To my knowledge, there is no document that singles out what a sshd login
> should look like. There are documents that explain what the record type
> are. And you should be able to isolate them by ausearch -x sshd.
What I missed was this ausearch -x sshd which gives me the events
OK. Good. Glad that was helpful.
-Steve