RE: [EXT] Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?

From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
To: "warron.french" <warron.french@gmail.com>,
	Steve Grubb <sgrubb@redhat.com>
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: RE: [EXT] Re: The format of password change audit events seems to have changed, 	Can you confirm the correct record type ?
Date: Fri, 9 Jul 2021 14:22:18 +0000	[thread overview]
Message-ID: <1823e6d3090d4c278d020effe1f4e6a0@APLEX10.dom1.jhuapl.edu> (raw)
In-Reply-To: <CAJdJdQmq4npG+7ez0Euq8Qza8VoRZB3MsQ5wJ0xTzKO+VTO-yA@mail.gmail.com>

[-- Attachment #1.1: Type: text/plain, Size: 2262 bytes --]

Warren,  I missed this part of your message.

>> This is an interesting topic.
>> Please, can you tell me what audit rule you are using that generates such records about root's (or any other account's) password change?

I double checked the rules on a different RHEL 7.9 system ,  and it looks like we are only picking up password change attempts for accts in the user space, but not root, so if the password was changed directly from a root login rather than via sudo from another acct,   we probably won’t see some of the related audit records.

This is the rule I believe is picking up password change events:
 –a always,exit –F path=/usr/bin/passwd –F per=x –F auid>=1000 auid!=4294967295 –k privileged passwd

There are also a specific watches on /etc/shadow and gshadow:
                -w /etc/shadow –p wa –k identity

I just attempted , from a non-priv acct, to change the root passwd, and I see the following relevant audit records key-value pairs :

This shows I successfully ran the passwd command  and that the root acct was targeted ,
                type=PROCTITLE   ...  proctitle=passwd root   ...
                type=PATH             name=/usr/bin/passwd
                type=SYSCALL    ...  comm=passwd  exe=/usr/bin/passwd  success=yes     key=setuid

This shows that a password change was attempted and failed, but doesn’t seem to correctly indicate that the root acct was targeted (id=myusername, not root):
                Type=USER_CHAUTHOK auid=myusername msg=’op=attempted-to-change-password    id=myusername   exe=/usr/bin/passwd  res=failed

So... based on this,  unless the patch versions are a bit different between the two RHEL7.9 systems I’ve been looking at,  it looks like you are actually generating  a reasonable message when  a password change is attempted,  but we probably need  to make sure we are picking up all password changes, not just those in the user space.

I unfortunately don’t have permission to change the audit rules,  but will see if I can the SA to test this for me.   If you are able to test in your environment and can confirm my findings, that would be wonderful, but I think we probably found our smoking gun, LOL.

Thanks so much,
Karen Wiepecht

[-- Attachment #1.2: Type: text/html, Size: 8984 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit