From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
To: "warron.french" <warron.french@gmail.com>,
Steve Grubb <sgrubb@redhat.com>
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: RE: [EXT] Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
Date: Fri, 9 Jul 2021 14:22:18 +0000 [thread overview]
Message-ID: <1823e6d3090d4c278d020effe1f4e6a0@APLEX10.dom1.jhuapl.edu> (raw)
In-Reply-To: <CAJdJdQmq4npG+7ez0Euq8Qza8VoRZB3MsQ5wJ0xTzKO+VTO-yA@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2262 bytes --]
Warren, I missed this part of your message.
>> This is an interesting topic.
>> Please, can you tell me what audit rule you are using that generates such records about root's (or any other account's) password change?
I double checked the rules on a different RHEL 7.9 system , and it looks like we are only picking up password change attempts for accts in the user space, but not root, so if the password was changed directly from a root login rather than via sudo from another acct, we probably won’t see some of the related audit records.
This is the rule I believe is picking up password change events:
–a always,exit –F path=/usr/bin/passwd –F per=x –F auid>=1000 auid!=4294967295 –k privileged passwd
There are also a specific watches on /etc/shadow and gshadow:
-w /etc/shadow –p wa –k identity
I just attempted , from a non-priv acct, to change the root passwd, and I see the following relevant audit records key-value pairs :
This shows I successfully ran the passwd command and that the root acct was targeted ,
type=PROCTITLE ... proctitle=passwd root ...
type=PATH name=/usr/bin/passwd
type=SYSCALL ... comm=passwd exe=/usr/bin/passwd success=yes key=setuid
This shows that a password change was attempted and failed, but doesn’t seem to correctly indicate that the root acct was targeted (id=myusername, not root):
Type=USER_CHAUTHOK auid=myusername msg=’op=attempted-to-change-password id=myusername exe=/usr/bin/passwd res=failed
So... based on this, unless the patch versions are a bit different between the two RHEL7.9 systems I’ve been looking at, it looks like you are actually generating a reasonable message when a password change is attempted, but we probably need to make sure we are picking up all password changes, not just those in the user space.
I unfortunately don’t have permission to change the audit rules, but will see if I can the SA to test this for me. If you are able to test in your environment and can confirm my findings, that would be wonderful, but I think we probably found our smoking gun, LOL.
Thanks so much,
Karen Wiepecht
[-- Attachment #1.2: Type: text/html, Size: 8984 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-07-09 14:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-08 18:19 The format of password change audit events seems to have changed, Can you confirm the correct record type ? Wieprecht, Karen M.
2021-07-08 19:23 ` Steve Grubb
2021-07-08 22:53 ` warron.french
2021-07-09 0:46 ` Richard Guy Briggs
2021-07-09 12:06 ` warron.french
2021-07-09 13:18 ` [EXT] " Wieprecht, Karen M.
2021-07-09 14:22 ` Wieprecht, Karen M. [this message]
2021-07-10 14:57 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1823e6d3090d4c278d020effe1f4e6a0@APLEX10.dom1.jhuapl.edu \
--to=karen.wieprecht@jhuapl.edu \
--cc=Linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
--cc=warron.french@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.