All of lore.kernel.org
 help / color / mirror / Atom feed
* Problem with watching power commands - key is not logged
@ 2017-01-28 12:16 Damian Tykałowski
  2017-01-29 21:40 ` Richard Guy Briggs
  0 siblings, 1 reply; 4+ messages in thread
From: Damian Tykałowski @ 2017-01-28 12:16 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1103 bytes --]

Hi

 

I'm struggling to get proper auditing of usage of power commands, here's
what I've got in rules

 

[root@host01 ~]# cat /etc/audit/audit.rules | grep power

-w /sbin/shutdown -p rwx -k power

-w /sbin/poweroff -p rwx -k power

-w /sbin/reboot -p rwx -k power

-w /sbin/halt -p rwx -k power

-w shutdown -p rwx -k power

-w poweroff -p rwx -k power

-w reboot -p rwx -k power

-w halt -p rwx -k power

 

However despite full host reboot/refreshing rules I'm not getting events
with proper key "power"

 

[root@host01 ~]# cat /var/log/audit/audit.log | grep power

<empty>

 

Events are logged though but without key

 

type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004
ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'

type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004
ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'

 

Any idea what is wrong? Rules with other keys seems to work.


[-- Attachment #1.2: Type: text/html, Size: 4241 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Problem with watching power commands - key is not logged
  2017-01-28 12:16 Problem with watching power commands - key is not logged Damian Tykałowski
@ 2017-01-29 21:40 ` Richard Guy Briggs
  2017-01-30  9:31   ` Damian Tykałowski
  0 siblings, 1 reply; 4+ messages in thread
From: Richard Guy Briggs @ 2017-01-29 21:40 UTC (permalink / raw)
  To: Damian Tykałowski; +Cc: linux-audit

On 2017-01-28 13:16, Damian Tykałowski wrote:
> Hi

Hi Damian,

> I'm struggling to get proper auditing of usage of power commands, here's
> what I've got in rules
> 
> [root@host01 ~]# cat /etc/audit/audit.rules | grep power
> -w /sbin/shutdown -p rwx -k power
> -w /sbin/poweroff -p rwx -k power
> -w /sbin/reboot -p rwx -k power
> -w /sbin/halt -p rwx -k power
> -w shutdown -p rwx -k power
> -w poweroff -p rwx -k power
> -w reboot -p rwx -k power
> -w halt -p rwx -k power
> 
> However despite full host reboot/refreshing rules I'm not getting events
> with proper key "power"
> 
> [root@host01 ~]# cat /var/log/audit/audit.log | grep power
> <empty>
> 
> Events are logged though but without key
> 
> type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004
> ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> 
> type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004
> ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> 
> Any idea what is wrong? Rules with other keys seems to work.

I suspect you have another rule that is catching it first?


- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Problem with watching power commands - key is not logged
  2017-01-29 21:40 ` Richard Guy Briggs
@ 2017-01-30  9:31   ` Damian Tykałowski
  2017-01-30 16:32     ` Stephen Buchanan
  0 siblings, 1 reply; 4+ messages in thread
From: Damian Tykałowski @ 2017-01-30  9:31 UTC (permalink / raw)
  To: Richard Guy Briggs; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1878 bytes --]

I found it out
auditctl -l did not list rule as loaded, I checked logs of auditd deeper
and found it stopped loading rules at some point due to duplicated rule,
after sorting that out, it loaded all rules correctly, sorry for trouble

On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs <rgb@redhat.com> wrote:

> On 2017-01-28 13:16, Damian Tykałowski wrote:
> > Hi
>
> Hi Damian,
>
> > I'm struggling to get proper auditing of usage of power commands, here's
> > what I've got in rules
> >
> > [root@host01 ~]# cat /etc/audit/audit.rules | grep power
> > -w /sbin/shutdown -p rwx -k power
> > -w /sbin/poweroff -p rwx -k power
> > -w /sbin/reboot -p rwx -k power
> > -w /sbin/halt -p rwx -k power
> > -w shutdown -p rwx -k power
> > -w poweroff -p rwx -k power
> > -w reboot -p rwx -k power
> > -w halt -p rwx -k power
> >
> > However despite full host reboot/refreshing rules I'm not getting events
> > with proper key "power"
> >
> > [root@host01 ~]# cat /var/log/audit/audit.log | grep power
> > <empty>
> >
> > Events are logged though but without key
> >
> > type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004
> > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> >
> > type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004
> > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> >
> > Any idea what is wrong? Rules with other keys seems to work.
>
> I suspect you have another rule that is catching it first?
>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>

[-- Attachment #1.2: Type: text/html, Size: 2585 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Problem with watching power commands - key is not logged
  2017-01-30  9:31   ` Damian Tykałowski
@ 2017-01-30 16:32     ` Stephen Buchanan
  0 siblings, 0 replies; 4+ messages in thread
From: Stephen Buchanan @ 2017-01-30 16:32 UTC (permalink / raw)
  To: Damian Tykałowski; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 2764 bytes --]

Glad to hear that it's working for you now.

Typically, the '-w <path/filename>' syntax is to watch system files for
modification, not so much to audit the execution of the command (like for
power events, as you're doing). The way I audit reboot commands (among
others) is:

-a always,exit -F arch=b32 -S acct -S reboot -S sched_setparam -S
sched_setscheduler -S setrlimit -S swapon -k reboot_sched_swap
-a always,exit -F arch=b64 -S acct -S reboot -S sched_setparam -S
sched_setscheduler -S setrlimit -S swapon -k reboot_sched_swap
and
-w /var/run/utmp -p wa -k session

This might not be sufficient for your needs, but hopefully it's helpful.

Stephen

On Mon, Jan 30, 2017 at 5:21 AM Damian Tykałowski <d47zm3@gmail.com> wrote:

> I found it out
> auditctl -l did not list rule as loaded, I checked logs of auditd deeper
> and found it stopped loading rules at some point due to duplicated rule,
> after sorting that out, it loaded all rules correctly, sorry for trouble
>
> On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
>
> On 2017-01-28 13:16, Damian Tykałowski wrote:
> > Hi
>
> Hi Damian,
>
> > I'm struggling to get proper auditing of usage of power commands, here's
> > what I've got in rules
> >
> > [root@host01 ~]# cat /etc/audit/audit.rules | grep power
> > -w /sbin/shutdown -p rwx -k power
> > -w /sbin/poweroff -p rwx -k power
> > -w /sbin/reboot -p rwx -k power
> > -w /sbin/halt -p rwx -k power
> > -w shutdown -p rwx -k power
> > -w poweroff -p rwx -k power
> > -w reboot -p rwx -k power
> > -w halt -p rwx -k power
> >
> > However despite full host reboot/refreshing rules I'm not getting events
> > with proper key "power"
> >
> > [root@host01 ~]# cat /var/log/audit/audit.log | grep power
> > <empty>
> >
> > Events are logged though but without key
> >
> > type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004
> > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> >
> > type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004
> > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> >
> > Any idea what is wrong? Rules with other keys seems to work.
>
> I suspect you have another rule that is catching it first?
>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

[-- Attachment #1.2: Type: text/html, Size: 5140 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-30 16:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-28 12:16 Problem with watching power commands - key is not logged Damian Tykałowski
2017-01-29 21:40 ` Richard Guy Briggs
2017-01-30  9:31   ` Damian Tykałowski
2017-01-30 16:32     ` Stephen Buchanan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.