Help on Audit Rules

Help on Audit Rules

[Koresh...]

[-- Attachment #1.1: Type: text/plain, Size: 430 bytes --]

Hi Team,

I have enabled the audit logs recently ... Currently the auditd daemon is
logging all the event and syscalls done based on default rule set ...

But currently it only record the events done by the root user or by the
sudo ...

Need your help to configure the same for Group wise ... so that i can track
the group wise events done , rather then adding a rule for each individual
users.


-- 

Thanks & Regards,

- Koresh

[-- Attachment #1.2: Type: text/html, Size: 1152 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Help on Audit Rules

[Peter Moody]

[-- Attachment #1.1: Type: text/plain, Size: 713 bytes --]

What rules are currently installed and what logs are you seeing?
On Oct 17, 2012 5:59 AM, "Koresh..." <koreshkumar@gmail.com> wrote:

>
> Hi Team,
>
> I have enabled the audit logs recently ... Currently the auditd daemon is
> logging all the event and syscalls done based on default rule set ...
>
> But currently it only record the events done by the root user or by the
> sudo ...
>
> Need your help to configure the same for Group wise ... so that i can
> track the group wise events done , rather then adding a rule for each
> individual users.
>
>
> --
>
> Thanks & Regards,
>
> - Koresh
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 1791 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Help on Audit Rules

[Koresh...]

[-- Attachment #1.1: Type: text/plain, Size: 4667 bytes --]

Hi Peter,

Currently i am tring to achive the same through below configuration on
audit.rules file ...

# Audit all execve calls
-a entry,always -S execve
-a entry,never
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=CWD
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exclude,always -F msgtype=CRED_DISP

But the problem on above rule is, it records all the SYSCALL and EXECV
calls. Which increasing the log file size.

So my question is why normal users audit event logs cant be captured as a
"type=USER_TTY" , where as root logs can be captured similarway.

Some logs for your reference:


type=EXECVE msg=audit(1350523801.169:137779): a0="/usr/lib/sa/sa1" a1="1"
a2="1"

type=SYSCALL msg=audit(1350523801.169:137780): arch=40000003 syscall=11
success=yes exit=0 a0=86e0ec0 a1=86e08b8 a2=86e0ed8 a3=86e08b8 items=2
ppid=18623 pid=18624 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="sadc" exe="/usr/lib/sa/sadc"
subj=kernel key=(null)

type=EXECVE msg=audit(1350523801.169:137780): a0="/usr/lib/sa/sadc" a1="-F"
a2="-L" a3="1" a4="1" a5="-"

type=USER_END msg=audit(1350523801.185:137781): user pid=18623 uid=0
auid=4294967295 subj=kernel msg='PAM: session close acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

type=USER_TTY msg=audit(1350524060.169:137782): user pid=18576 uid=0
auid=655 subj=kernel msg='cat /etc/audit/audit.rules '

type=SYSCALL msg=audit(1350524060.169:137783): arch=40000003 syscall=11
success=yes exit=0 a0=8cc4780 a1=8cc4838 a2=8cbd860 a3=0 items=2 ppid=18576
pid=18625 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="cat" exe="/bin/cat" subj=kernel key=(null)

type=EXECVE msg=audit(1350524060.169:137783): a0="cat"
a1="/etc/audit/audit.rules"

type=USER_TTY msg=audit(1350524156.789:137784): user pid=18576 uid=0
auid=655 subj=kernel msg='tail -f /var/log/audit/audit.log'
type=SYSCALL msg=audit(1350524156.789:137785): arch=40000003 syscall=11
success=yes exit=0 a0=8cc4810 a1=8cc47d0 a2=8cbd860 a3=0 items=2 ppid=18576
pid=18626 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="tail" exe="/usr/bin/tail" subj=kernel key=(null)

type=EXECVE msg=audit(1350524156.789:137785): a0="tail" a1="-f"
a2="/var/log/audit/audit.log"

type=USER_END msg=audit(1350524172.558:137786): user pid=18249 uid=0
auid=1600 subj=kernel msg='PAM: session close acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'

type=SYSCALL msg=audit(1350524176.426:137787): arch=40000003 syscall=11
success=yes exit=0 a0=81f102e8 a1=81f12a60 a2=81f10300 a3=4 items=2
ppid=1045 pid=18627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd"
subj=kernel key=(null)

type=EXECVE msg=audit(1350524176.426:137787): a0="/usr/sbin/sshd" a1="-R"

type=USER_ACCT msg=audit(1350524176.642:137788): user pid=18627 uid=0
auid=4294967295 subj=kernel msg='PAM: accounting acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'

type=CRED_ACQ msg=audit(1350524176.642:137789): user pid=18627 uid=0
auid=4294967295 subj=kernel msg='PAM: setcred acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'

type=USER_START msg=audit(1350524176.642:137790): user pid=18627 uid=0
auid=1600 subj=kernel msg='PAM: session open acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'

type=CRED_REFR msg=audit(1350524176.642:137791): user pid=18629 uid=0
auid=1600 subj=kernel msg='PAM: setcred acct="sysmon" :
exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245,
terminal=ssh res=success)'

On Wed, Oct 17, 2012 at 8:07 PM, Peter Moody <pmoody@google.com> wrote:

> What rules are currently installed and what logs are you seeing?
> On Oct 17, 2012 5:59 AM, "Koresh..." <koreshkumar@gmail.com> wrote:
>
>>
>> Hi Team,
>>
>> I have enabled the audit logs recently ... Currently the auditd daemon is
>> logging all the event and syscalls done based on default rule set ...
>>
>> But currently it only record the events done by the root user or by the
>> sudo ...
>>
>> Need your help to configure the same for Group wise ... so that i can
>> track the group wise events done , rather then adding a rule for each
>> individual users.
>>
>>
>> --
>>
>> Thanks & Regards,
>>
>> - Koresh
>>
>>
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>


-- 


Thanks & Regards,

- Koresh

[-- Attachment #1.2: Type: text/html, Size: 7443 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Help on Audit Rules

[Miloslav Trmac]

----- Original Message ----- 
> So my question is why normal users audit event logs cant be captured
> as a "type=USER_TTY" , where as root logs can be captured
> similarway.
USER_TTY is sent by the process that accepts the keyboard input.  Unprivileged users are not allowed to send audit records (otherwise they would be able to fill the queue and/or the log partition, causing a DoS), so the USER_TTY record is discarded.

Even for unprivileged users you should have the type=TTY records, although they are noticeably more difficult to interpret.
   Mirek

Re: Help on Audit Rules

[Koresh...]

[-- Attachment #1.1: Type: text/plain, Size: 879 bytes --]

So if i am correct, there is no way we can get the normal user activity
through auditd daemon ...

Or , please suggest the best way to capture the activity logs for normal
users ....


On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote:

> ----- Original Message -----
> > So my question is why normal users audit event logs cant be captured
> > as a "type=USER_TTY" , where as root logs can be captured
> > similarway.
> USER_TTY is sent by the process that accepts the keyboard input.
>  Unprivileged users are not allowed to send audit records (otherwise they
> would be able to fill the queue and/or the log partition, causing a DoS),
> so the USER_TTY record is discarded.
>
> Even for unprivileged users you should have the type=TTY records, although
> they are noticeably more difficult to interpret.
>    Mirek
>



-- 


Thanks & Regards,

- Koresh

[-- Attachment #1.2: Type: text/html, Size: 1880 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Help on Audit Rules

[Peter Moody]

auditctl -a exit,always -S execve -F success=1

will audit log all successful execve(2) calls by all uids. It will
incur a (possibly significant) performance hit though. Is there a
particular binary/user about you're concerned?



On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote:
>
> So if i am correct, there is no way we can get the normal user activity
> through auditd daemon ...
>
> Or , please suggest the best way to capture the activity logs for normal
> users ....
>
>
>
> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote:
>>
>> ----- Original Message -----
>> > So my question is why normal users audit event logs cant be captured
>> > as a "type=USER_TTY" , where as root logs can be captured
>> > similarway.
>> USER_TTY is sent by the process that accepts the keyboard input.
>> Unprivileged users are not allowed to send audit records (otherwise they
>> would be able to fill the queue and/or the log partition, causing a DoS), so
>> the USER_TTY record is discarded.
>>
>> Even for unprivileged users you should have the type=TTY records, although
>> they are noticeably more difficult to interpret.
>>    Mirek
>
>
>
>
> --
>
>
> Thanks & Regards,
>
> - Koresh
>
>
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: Help on Audit Rules

[Peter Moody]

Also, from the auditctl manpage:

The following describes the valid actions for the rule:

never       No audit records will be generated. This can be used to
suppress event generation. In general, you want suppressions at the
top of the list instead of the bottom. This is because the event
triggers on the first matching rule.


On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody@google.com> wrote:
> auditctl -a exit,always -S execve -F success=1
>
> will audit log all successful execve(2) calls by all uids. It will
> incur a (possibly significant) performance hit though. Is there a
> particular binary/user about you're concerned?
>
>
>
> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote:
>>
>> So if i am correct, there is no way we can get the normal user activity
>> through auditd daemon ...
>>
>> Or , please suggest the best way to capture the activity logs for normal
>> users ....
>>
>>
>>
>> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote:
>>>
>>> ----- Original Message -----
>>> > So my question is why normal users audit event logs cant be captured
>>> > as a "type=USER_TTY" , where as root logs can be captured
>>> > similarway.
>>> USER_TTY is sent by the process that accepts the keyboard input.
>>> Unprivileged users are not allowed to send audit records (otherwise they
>>> would be able to fill the queue and/or the log partition, causing a DoS), so
>>> the USER_TTY record is discarded.
>>>
>>> Even for unprivileged users you should have the type=TTY records, although
>>> they are noticeably more difficult to interpret.
>>>    Mirek
>>
>>
>>
>>
>> --
>>
>>
>> Thanks & Regards,
>>
>> - Koresh
>>
>>
>>
>
>
>
> --
> Peter Moody      Google    1.650.253.7306
> Security Engineer  pgp:0xC3410038



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: Help on Audit Rules

[Peter Moody]

Whoops, ignore this. I had misread your rules.

On Thu, Oct 18, 2012 at 8:35 AM, Peter Moody <pmoody@google.com> wrote:
> Also, from the auditctl manpage:
>
> The following describes the valid actions for the rule:
>
> never       No audit records will be generated. This can be used to
> suppress event generation. In general, you want suppressions at the
> top of the list instead of the bottom. This is because the event
> triggers on the first matching rule.
>
>
> On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody@google.com> wrote:
>> auditctl -a exit,always -S execve -F success=1
>>
>> will audit log all successful execve(2) calls by all uids. It will
>> incur a (possibly significant) performance hit though. Is there a
>> particular binary/user about you're concerned?
>>
>>
>>
>> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote:
>>>
>>> So if i am correct, there is no way we can get the normal user activity
>>> through auditd daemon ...
>>>
>>> Or , please suggest the best way to capture the activity logs for normal
>>> users ....
>>>
>>>
>>>
>>> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote:
>>>>
>>>> ----- Original Message -----
>>>> > So my question is why normal users audit event logs cant be captured
>>>> > as a "type=USER_TTY" , where as root logs can be captured
>>>> > similarway.
>>>> USER_TTY is sent by the process that accepts the keyboard input.
>>>> Unprivileged users are not allowed to send audit records (otherwise they
>>>> would be able to fill the queue and/or the log partition, causing a DoS), so
>>>> the USER_TTY record is discarded.
>>>>
>>>> Even for unprivileged users you should have the type=TTY records, although
>>>> they are noticeably more difficult to interpret.
>>>>    Mirek
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> Thanks & Regards,
>>>
>>> - Koresh
>>>
>>>
>>>
>>
>>
>>
>> --
>> Peter Moody      Google    1.650.253.7306
>> Security Engineer  pgp:0xC3410038
>
>
>
> --
> Peter Moody      Google    1.650.253.7306
> Security Engineer  pgp:0xC3410038



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: Help on Audit Rules

[Steve Grubb]

On Thursday, October 18, 2012 08:33:59 AM Peter Moody wrote:
> auditctl -a exit,always -S execve -F success=1
> 
> will audit log all successful execve(2) calls by all uids. It will
> incur a (possibly significant) performance hit though. Is there a
> particular binary/user about you're concerned?

Well, this is not the way we normally do it in the audit world. This would 
capture both system and user events. Normally you want to focus on user 
events. So, if you correct this rule then you are still faced with it won't 
catch sourced files. Or the user could event start python and type the commands 
in directly.

So, the way we normally do this is to use the key stroke logging. The main 
issue is that you won't get the meaning of up arrows and things like that. I 
think there are ways of restricting the history file and in memory history so 
that users cannot circumvent it.

-Steve


> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote:
> > So if i am correct, there is no way we can get the normal user activity
> > through auditd daemon ...
> > 
> > Or , please suggest the best way to capture the activity logs for normal
> > users ....
> > 
> > On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote:
> >> ----- Original Message -----
> >> 
> >> > So my question is why normal users audit event logs cant be captured
> >> > as a "type=USER_TTY" , where as root logs can be captured
> >> > similarway.
> >> 
> >> USER_TTY is sent by the process that accepts the keyboard input.
> >> Unprivileged users are not allowed to send audit records (otherwise they
> >> would be able to fill the queue and/or the log partition, causing a DoS),
> >> so the USER_TTY record is discarded.
> >> 
> >> Even for unprivileged users you should have the type=TTY records,
> >> although
> >> they are noticeably more difficult to interpret.
> >> 
> >>    Mirek
> > 
> > --
> > 
> > 
> > Thanks & Regards,
> > 
> > - Koresh