* Problem with watching power commands - key is not logged @ 2017-01-28 12:16 Damian Tykałowski 2017-01-29 21:40 ` Richard Guy Briggs 0 siblings, 1 reply; 4+ messages in thread From: Damian Tykałowski @ 2017-01-28 12:16 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1103 bytes --] Hi I'm struggling to get proper auditing of usage of power commands, here's what I've got in rules [root@host01 ~]# cat /etc/audit/audit.rules | grep power -w /sbin/shutdown -p rwx -k power -w /sbin/poweroff -p rwx -k power -w /sbin/reboot -p rwx -k power -w /sbin/halt -p rwx -k power -w shutdown -p rwx -k power -w poweroff -p rwx -k power -w reboot -p rwx -k power -w halt -p rwx -k power However despite full host reboot/refreshing rules I'm not getting events with proper key "power" [root@host01 ~]# cat /var/log/audit/audit.log | grep power <empty> Events are logged though but without key type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' Any idea what is wrong? Rules with other keys seems to work. [-- Attachment #1.2: Type: text/html, Size: 4241 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with watching power commands - key is not logged 2017-01-28 12:16 Problem with watching power commands - key is not logged Damian Tykałowski @ 2017-01-29 21:40 ` Richard Guy Briggs 2017-01-30 9:31 ` Damian Tykałowski 0 siblings, 1 reply; 4+ messages in thread From: Richard Guy Briggs @ 2017-01-29 21:40 UTC (permalink / raw) To: Damian Tykałowski; +Cc: linux-audit On 2017-01-28 13:16, Damian Tykałowski wrote: > Hi Hi Damian, > I'm struggling to get proper auditing of usage of power commands, here's > what I've got in rules > > [root@host01 ~]# cat /etc/audit/audit.rules | grep power > -w /sbin/shutdown -p rwx -k power > -w /sbin/poweroff -p rwx -k power > -w /sbin/reboot -p rwx -k power > -w /sbin/halt -p rwx -k power > -w shutdown -p rwx -k power > -w poweroff -p rwx -k power > -w reboot -p rwx -k power > -w halt -p rwx -k power > > However despite full host reboot/refreshing rules I'm not getting events > with proper key "power" > > [root@host01 ~]# cat /var/log/audit/audit.log | grep power > <empty> > > Events are logged though but without key > > type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004 > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004 > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > Any idea what is wrong? Rules with other keys seems to work. I suspect you have another rule that is catching it first? - RGB -- Richard Guy Briggs <rgb@redhat.com> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with watching power commands - key is not logged 2017-01-29 21:40 ` Richard Guy Briggs @ 2017-01-30 9:31 ` Damian Tykałowski 2017-01-30 16:32 ` Stephen Buchanan 0 siblings, 1 reply; 4+ messages in thread From: Damian Tykałowski @ 2017-01-30 9:31 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1878 bytes --] I found it out auditctl -l did not list rule as loaded, I checked logs of auditd deeper and found it stopped loading rules at some point due to duplicated rule, after sorting that out, it loaded all rules correctly, sorry for trouble On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs <rgb@redhat.com> wrote: > On 2017-01-28 13:16, Damian Tykałowski wrote: > > Hi > > Hi Damian, > > > I'm struggling to get proper auditing of usage of power commands, here's > > what I've got in rules > > > > [root@host01 ~]# cat /etc/audit/audit.rules | grep power > > -w /sbin/shutdown -p rwx -k power > > -w /sbin/poweroff -p rwx -k power > > -w /sbin/reboot -p rwx -k power > > -w /sbin/halt -p rwx -k power > > -w shutdown -p rwx -k power > > -w poweroff -p rwx -k power > > -w reboot -p rwx -k power > > -w halt -p rwx -k power > > > > However despite full host reboot/refreshing rules I'm not getting events > > with proper key "power" > > > > [root@host01 ~]# cat /var/log/audit/audit.log | grep power > > <empty> > > > > Events are logged though but without key > > > > type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004 > > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > > > type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004 > > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > > > Any idea what is wrong? Rules with other keys seems to work. > > I suspect you have another rule that is catching it first? > > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 > [-- Attachment #1.2: Type: text/html, Size: 2585 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with watching power commands - key is not logged 2017-01-30 9:31 ` Damian Tykałowski @ 2017-01-30 16:32 ` Stephen Buchanan 0 siblings, 0 replies; 4+ messages in thread From: Stephen Buchanan @ 2017-01-30 16:32 UTC (permalink / raw) To: Damian Tykałowski; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2764 bytes --] Glad to hear that it's working for you now. Typically, the '-w <path/filename>' syntax is to watch system files for modification, not so much to audit the execution of the command (like for power events, as you're doing). The way I audit reboot commands (among others) is: -a always,exit -F arch=b32 -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setrlimit -S swapon -k reboot_sched_swap -a always,exit -F arch=b64 -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setrlimit -S swapon -k reboot_sched_swap and -w /var/run/utmp -p wa -k session This might not be sufficient for your needs, but hopefully it's helpful. Stephen On Mon, Jan 30, 2017 at 5:21 AM Damian Tykałowski <d47zm3@gmail.com> wrote: > I found it out > auditctl -l did not list rule as loaded, I checked logs of auditd deeper > and found it stopped loading rules at some point due to duplicated rule, > after sorting that out, it loaded all rules correctly, sorry for trouble > > On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs <rgb@redhat.com> > wrote: > > On 2017-01-28 13:16, Damian Tykałowski wrote: > > Hi > > Hi Damian, > > > I'm struggling to get proper auditing of usage of power commands, here's > > what I've got in rules > > > > [root@host01 ~]# cat /etc/audit/audit.rules | grep power > > -w /sbin/shutdown -p rwx -k power > > -w /sbin/poweroff -p rwx -k power > > -w /sbin/reboot -p rwx -k power > > -w /sbin/halt -p rwx -k power > > -w shutdown -p rwx -k power > > -w poweroff -p rwx -k power > > -w reboot -p rwx -k power > > -w halt -p rwx -k power > > > > However despite full host reboot/refreshing rules I'm not getting events > > with proper key "power" > > > > [root@host01 ~]# cat /var/log/audit/audit.log | grep power > > <empty> > > > > Events are logged though but without key > > > > type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004 > > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > > > type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004 > > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > > > Any idea what is wrong? Rules with other keys seems to work. > > I suspect you have another rule that is catching it first? > > > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit [-- Attachment #1.2: Type: text/html, Size: 5140 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-30 16:32 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-28 12:16 Problem with watching power commands - key is not logged Damian Tykałowski 2017-01-29 21:40 ` Richard Guy Briggs 2017-01-30 9:31 ` Damian Tykałowski 2017-01-30 16:32 ` Stephen Buchanan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.