Hello All, I've been working on getting audit/audisp-prelude/prelude set up on Fedora 10 and run into the situation where it appears that audisp-prelude is not triggering on watched syscall event. The system is running Fedora 10 with the 2.6.27.9-159.fc10 kernel and audit and audispd-plugins 1.7.10 and the host of prelude software and libraries. I followed Steve¹s HOWTO on installing and configuring audit and prelude and got it all installed without difficulties. After the configuration, I restarted auditd and saw that ausdispd and audisp-prelude were running and so was prelude-manager and mysql. After starting up the prewikka-httpd and pointed the web browser at the system, I tried a few things, like logging in and out successfully and unsuccessfully. I was pleased to see that the events pop up in the browser window. I did some more tests wherein I caused programs to seg fault and these events got recorded too. Needless to say I was impressed. Next I used the system-config-audit GUI tool to create some watch point on files with the ids-type-severity set to get audisp-prelude¹s attention. Here¹s the listing of the rules from auditctl ­l: LIST_RULES: exit,always watch=/etc/shadow perm=rwxa key=ids-file-hi LIST_RULES: exit,always watch=/bin/ping perm=x key=ids-exec-inf I restarted auditd and ran ping. Nothing showed up in the browser window. I ran ping again, several times. Nothing at all. I did some things to /etc/shadow and nothing. I did an ausearch for the key=ids-exec-inf and got something like this: time->Wed Dec 31 13:42:53 2008 node=dr-who.timelord.com type=PATH msg=audit(1230759773.835:118): item=1 name=(null) inode=16564 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 node=dr-who.timelord.com type=PATH msg=audit(1230759773.835:118): item=0 name="/bin/ping" inode=417854 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ping_exec_t:s0 node=dr-who.timelord.com type=CWD msg=audit(1230759773.835:118): cwd="/home/gsm ith" node=dr-who.timelord.com type=EXECVE msg=audit(1230759773.835:118): argc=4 a0="ping" a1="-c" a2="5" a3="10.0.2.2" node=dr-who.timelord.com type=SYSCALL msg=audit(1230759773.835:118): arch=40000003 syscall=11 success=yes exit=0 a0=94b4eb0 a1=94b3390 a2=94b9e20 a3=0 items=2 ppid=17687 pid=17773 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts3 ses=7 comm="ping" exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0 key="ids-exec-info" So, it looks like the records watch points are firing and getting into the audit log. Then I did and aureport ‹summary ­k Key Summary Report =========================== total file =========================== 112 ids-file-hi 16 ids-exec-inf So both ausearch and aureport can find the keys and interpret them. Next, I did ausearch ‹raw ­k ids-file-hi > test.log and audisp-prelude ‹test < ./test.log Nothing happened. All I got was ³audisp-prelude is exiting on stop request². I was confused about what was happening. Why do 2 program see the keys and not the one other? So I downloaded the source (audit-1.7.10.tar.gz) and rebuilt the audit package with prelude. When I executed the locally built audisp-prelude as above, I got the same result. Looking thru the code, the file audisp_prelude.c has a function called handle_watched_syscalls. After playing around with putting debug statements into the code and reruning the test, over several runs, it looks like auparse_find_field is not finding the ³key² field. The reason ausearch and aureport can find the ³key² field is that they don¹t use auparse. I edited the test.log file and moved the ³key² fields to the start of the record and ran the test; no difference. Next, I modified the source to audisp-prelude.c so that instead of looking for ³key² to introduce ³ids-² info, handle_watched_syscalls would look for ³subj² instead (I picked this one since I had seen that ausparse_find_field could find this field). I edited the test.log to replace ³key=² with ³subj=² and reran the test. This time I got output: version: <empty> alert: analyzer(0): analyzerid: 4123513432298101 name: auditd manufacturer: Red Hat, http://people.redhat.com/sgrubb/audit/ model: auditd version: 1.7.10 class: HIDS ostype: Linux osversion: 2.6.27.9-159.fc10.i686 node: category: unknown (0) name: localhost.localdomain process: name: lt-audisp-prelude pid: 3661 path: /home/gsmith/Projects/audit-1.7.10/audisp/plugins/prelude/.libs/lt-audisp-pr elude create_time: 06/01/2009 15:28:34.312712 -08:00 classification: detect_time: 31/12/2008 10:08:16.0 -08:00 source(0): spoofed: unknown (0) node: category: hosts (6) name: dr-who.timelord.com user: category: application (1) user_id(0): type: original-user (0) tty: pts1 name: gsmith number: 500 process: name: ping pid: 3391 path: /bin/ping target(0): decoy: unknown (0) node: category: hosts (6) name: dr-who.timelord.com file(0): text: Watched Executable name: ping path: /bin/ping category: current (1) assessment: impact: severity: info (1) completion: succeeded (2) type: user (5) description: A user has attempted to execute a program t hat is being watched. additional_data(0): type: string (0) meaning: Execve args data: a0=ping a1=-c a2=5 a3=10.0.2.2 additional_data(1): type: string (0) meaning: Audit event serial # data: 66 Looking further, I found auparse_find_next calls nvlist_find_name in nvlist.c. I added some debug statements to nvlist_find_name, and it seems to never compare its linked list of names to against ³key². So, I¹m guessing that the linked list is not built correctly. So, have I been barking up the wrong tree on why audisp-prelude does not trigger on ³key=ids-² type of fields? Any comments would be greatly appreciated. Best regards, Gary Smith