3:26 p.m.
Hi,
Just wanted to let everyone know that the next version of the Linux audit
daemon is available. You can get it from
http://people.redhat.com/sgrubb/audit. Or rawhide tomorrow (Monday the
21st).
This release is mostly a bug fix release. There were some issues with the
library files being in the wrong directory on 64bit machines.
Pam_audit was updated to write loginuid to /proc/pid/loginuid. Because of the
way pam works, this is done in the parent process and the login uid is
inherited by the child. This does not work for sshd because of privilege
separation. I'll have to patch that directly.
Added pam_session_close to handle logout messaging.
Update to kernel headers in 2.6.11rc3.
Let me know if there are any problems.
-Steve Grubb
1:58 p.m.
On Sun, Feb 20, 2005 at 04:26:49PM -0500, Steve Grubb wrote:
Pam_audit was updated to write loginuid to /proc/pid/loginuid.
Because of the
way pam works, this is done in the parent process and the login uid is
inherited by the child. This does not work for sshd because of privilege
separation. I'll have to patch that directly.
Your code already works for me with sshd if you put pam_audit.so into the
"session" stack:
Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from
::ffff:172.16.204.1 port 59550 ssh2
Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old
loginuid=4294967295 new loginuid=500
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24
loginuid=500 msg='login user=kw uid=500'
Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
[kw@rhel4 ~]$ cat /proc/self/loginuid
500
This was using audit-0.6.3-2 and kernel-2.6.9-5.EL.audit.6, and the
following pam config:
#%PAM-1.0
#
# pam.d/sshd - pam.d/sshd configuration for EAL4/CAPP compliance
# see the Evaluated Configuration Guide for more info
#
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_audit.so
Kris, I'll send out an updated preliminary cert RPM with this change
included.
-Klaus
8:08 a.m.
On Mon, 2005-02-21 at 13:58 -0600, Klaus Weidner wrote:
Your code already works for me with sshd if you put pam_audit.so into
the
"session" stack:
Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from
::ffff:172.16.204.1 port 59550 ssh2
Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old
loginuid=4294967295 new loginuid=500
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24
loginuid=500 msg='login user=kw uid=500'
Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
[kw@rhel4 ~]$ cat /proc/self/loginuid
500
Yes, Steve was likely assuming that it wouldn't work because we couldn't
use pam_selinux with sshd. But that is due to the fact that we also
need to relabel the pty in pam_selinux, which is not an issue for
pam_audit.
session required pam_stack.so service=system-auth
session required pam_audit.so
Hmm...for pam_selinux, we have to bracket the pam stack with pam_selinux
close and pam_selinux open to ensure that the SELinux exec security
context is not set until _after_ all other pam modules (and their
helpers) have executed on session open and is closed _before_ all other
pam modules (and their helpers) execute on session close. Is that a
concern for the loginuid?
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
2:18 p.m.
On Sun, 20 Feb 2005 16:26:49 EST, Steve Grubb said:
Pam_audit was updated to write loginuid to /proc/pid/loginuid.
Because of the
way pam works, this is done in the parent process and the login uid is
inherited by the child. This does not work for sshd because of privilege
separation. I'll have to patch that directly.
OK, I'm a PAM idiot, and the manpage doesn't help much...
It's unclear where pam_audit should be placed relative to other pam exits.
For that matter, it's unclear if I can just stick it in the system-auth that
gets included by everybody. Are there any cases where we *don't* want it in there?
2:55 p.m.
On Mon, Feb 21, 2005 at 03:18:55PM -0500, Valdis.Kletnieks(a)vt.edu wrote:
On Sun, 20 Feb 2005 16:26:49 EST, Steve Grubb said:
> Pam_audit was updated to write loginuid to /proc/pid/loginuid.
> Because of the way pam works, this is done in the parent process and
> the login uid is inherited by the child. This does not work for sshd
> because of privilege separation. I'll have to patch that directly.
OK, I'm a PAM idiot, and the manpage doesn't help much...
It's unclear where pam_audit should be placed relative to other pam
exits.
Try the following:
*** login
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_audit.so
session required pam_selinux.so multiple open
*** sshd
session required pam_stack.so service=system-auth
session required pam_audit.so
For that matter, it's unclear if I can just stick it in the
system-auth
that gets included by everybody. Are there any cases where we *don't*
want it in there?
You don't want a new login UID assigned if someone uses 'su', 'sudo'
or
equivalent (that's the entire point of having a login UID maintained
separately), so putting it into system-auth is not a good idea.
-Klaus
3:06 p.m.
On Mon, 21 Feb 2005 14:55:38 CST, Klaus Weidner said:
Try the following:
*** login
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_audit.so
session required pam_selinux.so multiple open
*** sshd
session required pam_stack.so service=system-auth
session required pam_audit.so
And presumably similar for gdm if such is in use..
> For that matter, it's unclear if I can just stick it in the
system-auth
> that gets included by everybody. Are there any cases where we *don't*
> want it in there?
You don't want a new login UID assigned if someone uses 'su', 'sudo'
or
equivalent (that's the entire point of having a login UID maintained
separately), so putting it into system-auth is not a good idea.
Ahh.. I *knew* there was a reason, I just couldn't put my finger on it. :)
3:11 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
Hello,
I can't get vsftp working with the pam_audit.so module, vsftpd unfortunately
doesn't appear to run the "auth" or "session" stack in a way that
works
for pam_audit.so.
The patch below modifies the pam_audit.so module to allow it to be used
in the "account" stack also, which is a workaround for vsftpd. It
shouldn't break anything else since the module should only be added
exactly where needed, so it normally won't be in that stack for any
application that doesn't need it.
-Klaus
--- audit-0.6.3/pam-module/pam_audit.c.orig 2005-02-21 13:31:42.000000000 -0600
+++ audit-0.6.3/pam-module/pam_audit.c 2005-02-21 14:50:08.564934464 -0600
@@ -156,7 +156,7 @@
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
- return PAM_SUCCESS;
+ return _pam_audit_login(pamh, flags, argc, argv);
}
PAM_EXTERN int
4:21 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
On Monday 21 February 2005 16:11, Klaus Weidner wrote:
I can't get vsftp working with the pam_audit.so module, vsftpd
unfortunately doesn't appear to run the "auth" or "session" stack
in a way
that works for pam_audit.so.
If you run it in the acct stack, you don't get a logout audit message do you?
Isn't that needed for CAPP compliance?
-Steve
4:30 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
On Mon, Feb 21, 2005 at 05:21:40PM -0500, Steve Grubb wrote:
On Monday 21 February 2005 16:11, Klaus Weidner wrote:
> I can't get vsftp working with the pam_audit.so module, vsftpd
> unfortunately doesn't appear to run the "auth" or "session"
stack in a way
> that works for pam_audit.so.
If you run it in the acct stack, you don't get a logout audit message do you?
Isn't that needed for CAPP compliance?
I'm not aware of an explicit CAPP requirement for logout messages, so I'd
consider that to be a "nice to have" feature.
-Klaus
4:44 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
--- Klaus Weidner <klaus(a)atsec.com> wrote:
I'm not aware of an explicit CAPP requirement for
logout messages, so I'd
consider that to be a "nice to have" feature.
You need a logout message. Really.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
6:47 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
On Mon, Feb 21, 2005 at 02:44:10PM -0800, Casey Schaufler wrote:
--- Klaus Weidner <klaus(a)atsec.com> wrote:
> I'm not aware of an explicit CAPP requirement for
> logout messages, so I'd
> consider that to be a "nice to have" feature.
You need a logout message. Really.
Can you point to a specific requirement in CAPP related to that?
Note that even if you have logout records, they are not a reliable
indication that the session is complete, there may be background
processes launched by the user that keep running (and potentially
generating audit events) after the logout message. If you need that kind
of information and you aren't satisfied with the login UID, you need to
trace all fork/exec/exit events for the session.
-Klaus
8:13 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
--- Klaus Weidner <klaus(a)atsec.com> wrote:
On Mon, Feb 21, 2005 at 02:44:10PM -0800, Casey
Schaufler wrote:
> --- Klaus Weidner <klaus(a)atsec.com> wrote:
> > I'm not aware of an explicit CAPP requirement
for
> > logout messages, so I'd
> > consider that to be a "nice to have" feature.
>
> You need a logout message. Really.
Can you point to a specific requirement in CAPP
related to that?
Nope. On the other hand, I cannot point to
a system that has been successfully evaluated
that does not do this.
Note that even if you have logout records, they are
not a reliable
indication that the session is complete, there may
be background
processes launched by the user that keep running
(and potentially
generating audit events) after the logout message.
This will, of course, depend on how carefully
you've defined a "session". A detached process
that is not associated with a controlling tty
cannot interact with the user, hence need not
be considered a part of the user's session.
On the other hand, the collection on processes
started by a cron job is a session, even though
no user is interacting.
My point? It's not enough to have code that
does auditing. No evaluation team, even a
Spanish team using the Common Criteria, will
have any patience with you if you take the
attitude of "show me where it says I have to
do this". Especially if you use the fact that
the system makes audit hard to explain as the
grounds for your argument. You need to define
the audit strategy that answers questions like:
- I have a login message, why isn't there a
logout message?
- I found the event I was after. How do I find
out when the evil person logged in, and when
she logged out?
If you need that kind
of information and you aren't satisfied with the
login UID, you need to
trace all fork/exec/exit events for the session.
Auditing the introduction (fork) and
deletion (exit) of subjects (processes)
is certainly a requirement. But take heart,
you only have to be able to do it, you
are only required to do all the time
it if there's no other way to track the
session. A logout message does wonders
toward having a compelling story without
this level of audit.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
9:29 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
On Mon, Feb 21, 2005 at 06:13:37PM -0800, Casey Schaufler wrote:
Nope. On the other hand, I cannot point to a system that has been
successfully evaluated that does not do this.
RHEL3, SLES8 and SLES9 have all been successfully evaluated as CAPP
compliant with no logout messages...
This will, of course, depend on how carefully you've defined a
"session". A detached process that is not associated with a controlling
tty cannot interact with the user, hence need not be considered a part
of the user's session.
Well, they are running on behalf of that user and need to be audited in
the same way as if the user were still logged in. And the "interactive"
distinction is fuzzy at best - what about programs run in a "screen"
session that get detached and reattached later? Or a background program
that opens a network socket accepting interactive commands? That's why a
logout message is far less informative than a login message, it doesn't
correspond to any particularily interesting or security relevant event.
On the other hand, the collection on processes started by a cron job
is
a session, even though no user is interacting.
Agreed, that's why crond needs to be instrumented to set up a proper
audit context for the code run on the user's behalf, including the
correct login UID. It doesn't mean that cron needs to write login/logout
records.
My point? It's not enough to have code that does auditing. No
evaluation team, even a Spanish team using the Common Criteria, will
have any patience with you if you take the attitude of "show me where
it says I have to do this". Especially if you use the fact that the
system makes audit hard to explain as the grounds for your argument.
Well, I'd have little patience with evaluation teams that expect me to
implement something that clearly isn't required. It's the evaluator's job
to verify that you correctly implement the features your product claims
to have and that the claims match the chosen profile, not to dictate a
design.
- I found the event I was after. How do I find out when the evil
person
logged in, and when she logged out?
The login message will be present, and tells you interesting things such
as when and from where the person logged in and what authentication
method was used. Instead of asking for a logout time, the more
interesting question would be if any processes launched by that person
are still active, and a logout message doesn't help determine that.
A logout message would be useful if the system guaranteed that all
processes launched by that user are definitely terminated at that time,
but that goes beyond the requirements of CAPP.
A logout message does wonders toward having a compelling story
without
this level of audit.
Hmmm, the type of evaluation I'm used to generally involves testing
instead of having the developer tell stories ;-)
Maybe we'll just have to agree to disagree here, there are different ways
to approach this issue. The CAPP audit requirements are fairly basic and
aren't intended to be useful for all purposes.
-Klaus
11:09 p.m.
New subject: [PATCH] support using pam_audit.so in "account" stack
--- Klaus Weidner <klaus(a)atsec.com> wrote:
On Mon, Feb 21, 2005 at 06:13:37PM -0800, Casey
Schaufler wrote:
> Nope. On the other hand, I cannot point to a
system that has been
> successfully evaluated that does not do this.
RHEL3, SLES8 and SLES9 have all been successfully
evaluated as CAPP
compliant with no logout messages...
Well, then I guess you're right and I'm wrong.
> This will, of course, depend on how carefully
you've defined a
> "session". A detached process that is not
associated with a controlling
> tty cannot interact with the user, hence need not
be considered a part
> of the user's session.
Well, they are running on behalf of that user and
need to be audited in
the same way as if the user were still logged in.
And the "interactive"
distinction is fuzzy at best - what about programs
run in a "screen"
session that get detached and reattached later? Or a
background program
that opens a network socket accepting interactive
commands? That's why a
logout message is far less informative than a login
message, it doesn't
correspond to any particularily interesting or
security relevant event.
It is interesting as a bracket for a group
of activities, just as the login is.
> On the other hand, the collection on processes
started by a cron job is
> a session, even though no user is interacting.
Agreed, that's why crond needs to be instrumented to
set up a proper
audit context for the code run on the user's behalf,
including the
correct login UID. It doesn't mean that cron needs
to write login/logout
records.
Hum. We had to for our TCSEC evaluation,
and carried the code into the CC evaluation
because it was still working.
> My point? It's not enough to have code that does
auditing. No
> evaluation team, even a Spanish team using the
Common Criteria, will
> have any patience with you if you take the
attitude of "show me where
> it says I have to do this". Especially if you use
the fact that the
> system makes audit hard to explain as the grounds
for your argument.
Well, I'd have little patience with evaluation teams
that expect me to
implement something that clearly isn't required.
Ah, the Orange Book days were a bit tougher.
It's the evaluator's job
to verify that you correctly implement the features
your product claims
to have and that the claims match the chosen
profile, not to dictate a
design.
That was a major source of contention
back in the day.
> - I found the event I was after. How do I find out
when the evil person
> logged in, and when she logged out?
The login message will be present, and tells you
interesting things such
as when and from where the person logged in and what
authentication
method was used. Instead of asking for a logout
time, the more
interesting question would be if any processes
launched by that person
are still active, and a logout message doesn't help
determine that.
Perhaps.
A logout message would be useful if the system
guaranteed that all
processes launched by that user are definitely
terminated at that time,
but that goes beyond the requirements of CAPP.
It's still useful to know when the user session
ended, even if all the activities haven't ceased.
> A logout message does wonders toward having a
compelling story without
> this level of audit.
Hmmm, the type of evaluation I'm used to generally
involves testing
instead of having the developer tell stories ;-)
This is a major difference between the TCSEC
and CC evaluations. We told lots and lots of
stories in the TCSEC days.
Maybe we'll just have to agree to disagree here,
there are different ways
to approach this issue. The CAPP audit requirements
are fairly basic and
aren't intended to be useful for all purposes.
True enough.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
11:25 p.m.
New subject: support using pam_audit.so in "account" stack
On Mon, 2005-02-21 at 18:13 -0800, Casey Schaufler wrote:
--- Klaus Weidner <klaus(a)atsec.com> wrote:
> On Mon, Feb 21, 2005 at 02:44:10PM -0800, Casey
> Schaufler wrote:
> > --- Klaus Weidner <klaus(a)atsec.com> wrote:
> > > I'm not aware of an explicit CAPP requirement
> for
> > > logout messages, so I'd
> > > consider that to be a "nice to have" feature.
> >
> > You need a logout message. Really.
>
> Can you point to a specific requirement in CAPP
> related to that?
Nope. On the other hand, I cannot point to
a system that has been successfully evaluated
that does not do this.
I'd also recommend including logout information - regardless of the fact
that non-interactive access may still continue (eg:
nohup /path/to/blah), it is pretty important for some organisations to
be able to determine a users interactive login and logout times.
Sure, this information can be grabbed indirectly from exec* events, or
even file-open data, but the volume of audit data that results from
enabling such events may not be justifiable in the context of a
workstation, where the goal may be just to provide 'supporting evidence'
of a problem/compromise on a server system.
For example:
On a server system, administrators have decided to enable file auditing
for the /path/to/secretstuff directory.
Audit log data indicates that the user 'joe_bloggs' attempted to access
a file /path/to/secretstuff/classified.txt at 3am.
The security admin team would be interested in verifying that poor old
Joe was actually logged into his usual workstation at this point. If log
data on the workstation indicated that Joe logged out of his normal
workstation at 17:00 the previous day, and door security records could
correlate that data, then the investigation should proceed in different
directions.
There are also situations where a supervisor may need to verify a users
'timesheet' data due to fraud investigation activity - and login/logout
records may be a useful tool for this (even if it may not be the most
appropriate use of a security audit trail ;)
Regards,
Leigh.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
11 a.m.
New subject: support using pam_audit.so in "account" stack
On Tue, Feb 22, 2005 at 04:25:35PM +1100, Leigh Purdie wrote:
I'd also recommend including logout information - regardless of
the fact
that non-interactive access may still continue (eg:
nohup /path/to/blah), it is pretty important for some organisations to
be able to determine a users interactive login and logout times.
Don't misunderstand me - I'm not opposed to logout information and agree
that it can be helpful, but it's not required for CAPP compliance and is
misleading information if the users get moderately creative.
For some applications such as vsftpd the application code would need to
be changed to get a logout record - it pretty much requires that there is
a privileged process that monitors the session, and not all services are
structured that way
-Klaus
4:59 p.m.
New subject: support using pam_audit.so in "account" stack
On Tue, 2005-02-22 at 11:00 -0600, Klaus Weidner wrote:
On Tue, Feb 22, 2005 at 04:25:35PM +1100, Leigh Purdie wrote:
> I'd also recommend including logout information - regardless of the fact
> that non-interactive access may still continue (eg:
> nohup /path/to/blah), it is pretty important for some organisations to
> be able to determine a users interactive login and logout times.
Don't misunderstand me - I'm not opposed to logout information and agree
that it can be helpful, but it's not required for CAPP compliance and is
misleading information if the users get moderately creative.
For some applications such as vsftpd the application code would need to
be changed to get a logout record - it pretty much requires that there is
a privileged process that monitors the session, and not all services are
structured that way
True enough. I stuck login/logout auditing in the 'too hard' basket in
Snare for a fair while, for this (and other) reasons myself. However, If
I printed out the number of requests I'd received for login/logout data
in Snare, I'd be swimming in a paper storm at the moment. ;)
My suggestion is 'build it, and they will come'. Up until recently, SSH
on solaris didn't generate a login/logout message either, but the code
has been modified due to many customer requests. Cover the core feature
set that most people are interested in (interactive login/logout), and
other applications such as vsftp/ssh etc, can be integrated on a
priority basis later on down the track.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
7242
days inactive
7244
days old
linux-audit@lists.linux-audit.osci.io
16 comments
7 participants
participants (7)
-
Casey Schaufler -
Klaus Weidner -
Klaus Weidner -
Leigh Purdie -
Stephen Smalley -
Steve Grubb -
Valdis.Kletnieks@vt.edu