11:17 a.m.
I'm having trouble getting started with audit on FC4.
First, it appears I don't have file watch enabled in my kernel. Is file
watch enabled in the FC5 kernel, or still only in RHEL?
Second, I tried a basic test to audit files opened by a specific user (per
the auditctl man page) but it doesn't seem to work:
------------>8------------
[root@localhost ~]# auditctl -a exit,always -S open -F loginuid=600
audit.log:
type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
audit rule
[develop@localhost ~]$ id
uid=600(develop) gid=600(develop) groups=600(develop)
context=user_u:system_r:unconfined_t
[develop@localhost ~]$ echo foo >> temp
audit.log:
<NO OUTPUT TO AUDIT LOG>
[root@localhost ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=26244 rate_limit=0 backlog_limit=256
lost=0 backlog=0
[root@localhost ~]# auditctl -l
AUDIT_LIST: exit,always auid=600 (0x258) syscall=open
File system watches not supported
audit.log:
type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1142975791.439:6635): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec
a2=10 a3=0 a4=bfb8fd08 a5=c
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005
i686 i686 i386 GNU/Linux
[root@localhost ~]# getenforce
Enforcing
------------8<------------
Should this experiment have produced any output to audit.log when the user
wrote to a file? If not, why not? If so, could the stuff being logged
during the rules listing indicate a problem, or are those "unrecognized
netlink messages" normal?
Thanks for any help,
Steve Brueckner, ATC-NY
1:09 p.m.
On Wednesday 22 March 2006 12:17, Steve Brueckner wrote:
First, it appears I don't have file watch enabled in my kernel.
Is file
watch enabled in the FC5 kernel, or still only in RHEL?
Only RHEL. There was a conflict with inotify when it was sent upstream. That
is being reworked and a new patch is nearly ready for upstream submission.
Second, I tried a basic test to audit files opened by a specific user
(per
the auditctl man page) but it doesn't seem to work:
It should work if everything is setup.
[root@localhost ~]# auditctl -a exit,always -S open -F loginuid=600
audit.log:
type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
audit rule
To use loginuid, you have to make sure that loginuid is actually getting set.
(The above seems to indicate that iits not.) This is done by the pam_loginuid
module. Also, look at its man page. You'll need that in login, sshd, or gdm
pam config.
type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux:
unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditctl" exe="/sbin/auditctl"
type=SOCKADDR msg=audit(1142975791.439:6635):
saddr=100000000000000000000000 type=SOCKETCALL
msg=audit(1142975791.439:6635): nargs=6 a0=3 a1=bfb8dbec a2=10 a3=0
a4=bfb8fd08 a5=c
If you get this on the command prompt, you don't have a new enough kernel. You
really want to be using 2.6.13 at a minimum.
Should this experiment have produced any output to audit.log when the
user
wrote to a file? If not, why not?
Yes, you need to upgrade the kernel and I'd update to audit-1.0.14 if on FC4.
-Steve
1:30 p.m.
On Wed, 2006-03-22 at 12:17 -0500, Steve Brueckner wrote:
I'm having trouble getting started with audit on FC4.
First, it appears I don't have file watch enabled in my kernel. Is file
watch enabled in the FC5 kernel, or still only in RHEL?
Only in RHEL4 AFAIK. Not sure it's going to make FC5, but Steve could
better answer this.
Second, I tried a basic test to audit files opened by a specific user (per
the auditctl man page) but it doesn't seem to work:
------------>8------------
[root@localhost ~]# auditctl -a exit,always -S open -F loginuid=600
Just curious, have you tried: -F uid=600 ??
<snip>
audit.log:
type=CONFIG_CHANGE msg=audit(1142975396.109:6629): auid=4294967295 added an
audit rule
[develop@localhost ~]$ id
uid=600(develop) gid=600(develop) groups=600(develop)
context=user_u:system_r:unconfined_t
[develop@localhost ~]$ echo foo >> temp
audit.log:
<NO OUTPUT TO AUDIT LOG>
[root@localhost ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=26244 rate_limit=0 backlog_limit=256
lost=0 backlog=0
[root@localhost ~]# auditctl -l
AUDIT_LIST: exit,always auid=600 (0x258) syscall=open
File system watches not supported
audit.log:
type=SELINUX_ERR msg=audit(1142975791.439:6635): SELinux: unrecognized
netlink message type=1009 for sclass=49
type=SYSCALL msg=audit(1142975791.439:6635): arch=40000003 syscall=102
success=no exit=-22 a0=b a1=bfb89970 a2=805a5dc a3=10 items=0 pid=27498
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Says here you loginuid (auid) is unsigned(-1), eh? Do you have the
proper PAM packages?
<snip>
Thanks for any help,
Steve Brueckner, ATC-NY
-tim
2:56 p.m.
On Wed, 22 Mar 2006 13:30:49 CST, "Timothy R. Chavez" said:
On Wed, 2006-03-22 at 12:17 -0500, Steve Brueckner wrote:
> I'm having trouble getting started with audit on FC4.
>
> First, it appears I don't have file watch enabled in my kernel. Is file
> watch enabled in the FC5 kernel, or still only in RHEL?
Only in RHEL4 AFAIK. Not sure it's going to make FC5, but Steve could
better answer this.
FC5 went out the door earlier this week, so it would have to be as an update to FC5.
2:41 p.m.
On 3/22/06, Steve Brueckner <steve(a)atc-nycorp.com> wrote:
I'm having trouble getting started with audit on FC4.
First, it appears I don't have file watch enabled in my kernel. Is file
watch enabled in the FC5 kernel, or still only in RHEL?
It is only enabled in the RHEL-4 kernels. The patch for this was not
accepted upstream and is being reworked for inclusion in 2.6.17/18
timeframe (if I have my notes correct). I am not sure that the below
would work without the file patches.
Second, I tried a basic test to audit files opened by a specific user
(per
the auditctl man page) but it doesn't seem to work:
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
4:01 p.m.
On Wed, Mar 22, 2006 at 01:41:21PM -0700, Stephen J. Smoogen wrote:
I have my notes correct). I am not sure that the below would work
without the file patches.
The functionality Steve B is inquiring about is unrelated to the
filesystem audit patches. If you use the 'uid' field instead of
'loginuid', you will see the records you expect, e.g.:
auditctl -a exit,always -S open -F uid=600
Filtering with 'uid' is based on the user actually executing the open
operation. Filtering with 'loginuid' (called auid in the audit log)
is based on the user id used to gain access to the system, although
they may be opening the file as another user.
Records will be logged in different situations based on your choice of
these filter fields. Of course, even if you don't want to filter
based on loginuid, it would be good to ensure it is being collected by
audit, as others have suggested.
> Second, I tried a basic test to audit files opened by a specific user (per
> the auditctl man page) but it doesn't seem to work:
>
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
6848
days inactive
6849
days old
linux-audit@lists.linux-audit.osci.io
5 comments
6 participants
participants (6)
-
Amy Griffis -
Stephen J. Smoogen -
Steve Brueckner -
Steve Grubb -
Timothy R. Chavez -
Valdis.Kletnieks@vt.edu