Hello All,

I've been working on getting audit/audisp-prelude/prelude set up on Fedora 10 and run into the situation where it appears that audisp-prelude is not triggering on watched syscall event.

The system is running Fedora 10 with the 2.6.27.9-159.fc10 kernel and audit and audispd-plugins 1.7.10 and the host of prelude software and libraries. I followed Steve’s HOWTO on installing and configuring audit and prelude and got it all installed without difficulties. After the configuration, I restarted auditd and saw that ausdispd and audisp-prelude were running and so was prelude-manager and mysql. After starting up the prewikka-httpd and pointed the web browser at the system, I tried a few things, like logging in and out successfully and unsuccessfully. I was pleased to see that the events pop up in the browser window. I did some more tests wherein I caused programs to seg fault and these events got recorded too. Needless to say I was impressed. Next I used the system-config-audit GUI tool to create some watch point on files with the ids-type-severity set to get audisp-prelude’s attention. Here’s the listing of the rules from auditctl –l:

LIST_RULES: exit,always watch=/etc/shadow perm=rwxa key=ids-file-hi
LIST_RULES: exit,always watch=/bin/ping perm=x key=ids-exec-inf

I restarted auditd and ran ping. Nothing showed up in the browser window. I ran ping again, several times. Nothing at all. I did some things to /etc/shadow and nothing. I did an ausearch for the key=ids-exec-inf and got something like this:

time->Wed Dec 31 13:42:53 2008
node=dr-who.timelord.com type=PATH msg=audit(1230759773.835:118): item=1 name=(null) inode=16564 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 node=dr-who.timelord.com type=PATH msg=audit(1230759773.835:118): item=0 name="/bin/ping" inode=417854 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ping_exec_t:s0
node=dr-who.timelord.com type=CWD msg=audit(1230759773.835:118):  cwd="/home/gsm
ith" node=dr-who.timelord.com type=EXECVE msg=audit(1230759773.835:118): argc=4 a0="ping" a1="-c" a2="5" a3="10.0.2.2"
node=dr-who.timelord.com type=SYSCALL msg=audit(1230759773.835:118): arch=40000003 syscall=11 success=yes exit=0 a0=94b4eb0 a1=94b3390 a2=94b9e20 a3=0 items=2 ppid=17687 pid=17773 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts3 ses=7 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0 key="ids-exec-info"

So, it looks like the records watch points are firing and getting into the audit log.

Then I did and aureport —summary –k

Key Summary Report
===========================
total  file
===========================
112  ids-file-hi
16  ids-exec-inf

So both ausearch and aureport can find the keys and interpret them.

Next, I did ausearch —raw –k ids-file-hi > test.log and audisp-prelude —test < ./test.log

Nothing happened. All I got was “audisp-prelude is exiting on stop request”.

I was confused about what was happening. Why do 2 program see the keys and not the one other?

So I downloaded the source (audit-1.7.10.tar.gz) and rebuilt the audit package with prelude. When I executed the locally built audisp-prelude as above, I got the same result.

Looking thru the code, the file audisp_prelude.c has a function called handle_watched_syscalls. After playing around with putting debug statements into the code and reruning the test, over several runs, it looks like auparse_find_field is not finding the “key” field. The reason ausearch and aureport can find the “key” field is that they don’t use auparse. I edited the test.log file and moved the “key” fields to the start of the record and ran the test; no difference. Next, I modified the source to audisp-prelude.c so that instead of looking for “key” to introduce “ids-” info, handle_watched_syscalls would look for “subj” instead (I picked this one since I had seen that ausparse_find_field could find this field). I edited the test.log to replace “key=” with “subj=” and reran the test. This time I got output:

version: <empty>
alert:
        analyzer(0):
                analyzerid: 4123513432298101
                name: auditd
                manufacturer: Red Hat, http://people.redhat.com/sgrubb/audit/
                model: auditd
                version: 1.7.10
                class: HIDS
                ostype: Linux
                osversion: 2.6.27.9-159.fc10.i686
                node:
                        category: unknown (0)
                        name: localhost.localdomain
                process:
                        name: lt-audisp-prelude
                        pid: 3661
                        path: /home/gsmith/Projects/audit-1.7.10/audisp/plugins/prelude/.libs/lt-audisp-prelude
        create_time: 06/01/2009 15:28:34.312712 -08:00
        classification:
        detect_time: 31/12/2008 10:08:16.0 -08:00
        source(0):
                spoofed: unknown (0)
                node:
                        category: hosts (6)
                        name: dr-who.timelord.com
                user:
                        category: application (1)
                        user_id(0):
                                type: original-user (0)
                                tty: pts1
                                name: gsmith
                                number: 500
                process:
                        name: ping
                        pid: 3391
                        path: /bin/ping
        target(0):
                decoy: unknown (0)
                node:
                        category: hosts (6)
                        name: dr-who.timelord.com
                file(0):                 text: Watched Executable
                        name: ping
                        path: /bin/ping
                        category: current (1)
        assessment:
                impact:
                        severity: info (1)
                        completion: succeeded (2)
                        type: user (5)
                        description: A user has attempted to execute a program t
hat is being watched.
        additional_data(0):
                type: string (0)
                meaning: Execve args
                data: a0=ping a1=-c a2=5 a3=10.0.2.2
        additional_data(1):
                type: string (0)
                meaning: Audit event serial #
                data: 66

Looking further, I found auparse_find_next calls nvlist_find_name in nvlist.c. I added some debug statements to nvlist_find_name, and it seems to never compare its linked list of names to against “key”. So, I’m guessing that the linked list is not built correctly.

So, have I been barking up the wrong tree on why audisp-prelude does not trigger on “key=ids-” type of fields? Any comments would be greatly appreciated.

Best regards,

Gary Smith