On Saturday 18 August 2007 13:04:21 Henning, Arthur C. (CSL) wrote:
1. su - "non_existent_account". Using the nispom.rules
provided by
audit 1.5.6-1. Using various ausearch parameters, am unable to find a
corresponding failure when attempting to "su" to a non-existent
account.
[root ~]# ssh -l badacct localhost
badacct@localhost's password:
Permission denied, please try again.
badacct@localhost's password:
Permission denied, please try again.
badacct@localhost's password:
Permission denied (publickey,gssapi-with-mic,password).
[root ~]# aureport --start today --login --failed
Login Report
============================================
# date time auid host term exe success event
============================================
1. 08/21/2007 09:27:26 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 264
2. 08/21/2007 09:27:32 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 266
3. 08/21/2007 09:27:36 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 268
4. 08/21/2007 09:27:39 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 270
[root ~]# ausearch --start today -a 264 -i
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
[root ~]# ausearch --start today -i -m USER_LOGIN -sv no
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:32.609:266) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:36.584:268) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:39.443:270) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
2. Non-privileged user attempting to change the date/time on the
server. Of course the user fails to be able to do so, but am unable to
capture or review the event.
This depends a lot on the arch. You could put execute watches on the apps you
expect someone to use:
-w /bin/date -p x -k time-change
But i also just noticed on x86_64, there is also a clock_settime syscall. I
found this by stracing the date program and tracking down a permission denied
message. So, on x86_64, add this:
-a entry,always -S clock_settime -k time-change
And it now shows this:
[sgrubb src]$ date 08200930date: cannot set date: Operation not permitted
Mon Aug 20 09:30:00 EDT 2007
[root ~]# ausearch --start recent -sv no -i
type=SYSCALL msg=audit(08/21/2007 09:50:01.827:357) : arch=x86_64
syscall=clock_settime success=no exit=-1(Operation not permitted) a0=0
a1=7fffc184bd70 a2=7fffc184bd70 a3=6b items=0 ppid=6092 pid=6369 auid=sgrubb
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb
sgid=sgrubb fsgid=sgrubb tty=pts1 comm=date exe=/bin/date
subj=user_u:system_r:unconfined_t:s0 key="time-change"
Hope this helps...
-Steve