Hi,

I was toying with the audit pci configuration.

I opened a root session with sudo in which I just typed C-r nss to retrieve the command “less /etc/nsswitch.conf” from the bash_history.

The text format, as shown below,  doesn’t handle correctly the tty_audit information.

Is it a known limitation ?

 

 

 

Ausearch format text

On yppcil51s.sys.meshcore.net at 10:23:34 21/08/17 fr18358, acting as root, successfully changed-identity-of /usr/bin/sudo using setresuid

On yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as root, typed

On yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as root, did-unknown

On yppcil51s.sys.meshcore.net at 10:24:14 21/08/17 fr18358, acting as root, successfully ended-session /dev/pts/0

 

Ausearch –I format raw

----

node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(21/08/17 10:23:34.400:20501) : proctitle=sudo -i

node=yppcil51s.sys.meshcore.net type=SYSCALL msg=audit(21/08/17 10:23:34.400:20501) : arch=x86_64 syscall=setresuid success=yes exit=0 a0=root a1=root a2=root a3=0x7fab09de8300 items=0 ppid=20742 pid=20743 auid=fr18358 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1287 comm=sudo exe=/usr/bin/sudo key=10.2.5.b-elevated-privs-session

----

node=yppcil51s.sys.meshcore.net type=USER_TTY msg=audit(21/08/17 10:24:08.661:20503) : pid=20743 uid=root auid=fr18358 ses=1287 data="less /etc/nsswitch.conf"

----

node=yppcil51s.sys.meshcore.net type=TTY msg=audit(21/08/17 10:24:08.661:20502) : tty pid=20743 uid=root auid=fr18358 ses=1287 major=136 minor=0 comm=bash data=<^R>,"nss",<ret>

----

node=yppcil51s.sys.meshcore.net type=USER_END msg=audit(21/08/17 10:24:14.479:20506) : pid=20742 uid=root auid=fr18358 ses=1287 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct=root exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/0 res=success'

 

ausearch format raw

node=yppcil51s.sys.meshcore.net type=SYSCALL msg=audit(1503303814.394:20497): arch=c000003e syscall=117 success=yes exit=0 a0=0 a1=ffffffff a2=ffffffff a3=7fab09de8300 items=0 ppid=20717 pid=20742 auid=3318358 uid=0 gid=20599 euid=0 suid=0 fsuid=0 egid=20599 sgid=20599 fsgid=20599 tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo" key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid AUID="fr18358" UID="root" GID="nobody" EUID="root" SUID="root" FSUID="root" EGID="nobody" SGID="nobody" FSGID="nobody"

node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(1503303814.394:20497): proctitle=7375646F002D69

node=yppcil51s.sys.meshcore.net type=SYSCALL msg=audit(1503303814.400:20501): arch=c000003e syscall=117 success=yes exit=0 a0=0 a1=0 a2=0 a3=7fab09de8300 items=0 ppid=20742 pid=20743 auid=3318358 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo" key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid AUID="fr18358" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(1503303814.400:20501): proctitle=7375646F002D69

node=yppcil51s.sys.meshcore.net type=USER_TTY msg=audit(1503303848.661:20503): pid=20743 uid=0 auid=3318358 ses=1287 data=6C657373202F6574632F6E737377697463682E636F6E66UID="root" AUID="fr18358"

 

Additionally, I noticed that ausearch –f /etc/nsswitch.conf doesn’t return anything.

It may be working as expected but I doubt it would be very usable to find out who fiddled with a file.

 

Has someone on the list successfully used the PCI rules in an actual PCI audit ?

 

Philippe