filtering system calls with auid -1

filtering system calls with auid -1

[ocakan]

[-- Attachment #1.1: Type: text/plain, Size: 4496 bytes --]

Hi!

My aim is to audit only commands executed by root (interactively) and avc
denied messages (selinux)

Some details about my audit-test-system and current audit configuration.
### MY CONFIGURATION:
uname -a:
Linux centos6 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
x86_64 x86_64 x86_64 GNU/Linux

### cat /proc/cmdline:
ro root=UUID=63f8768a-2eee-4472-8ebc-43372292a93b rd_NO_LUKS
LANG=en_US.UTF-8  KEYBOARDTYPE=pc KEYTABLE=de-latin1-nodeadkeys rd_NO_MD
SYSFONT=latarcyrheb-sun16  rd_NO_LVM rd_NO_DM rhgb audit=1

### rpm -q audit:
audit-2.3.7-5.el6.x86_64

### auditctl -l:
-a never,exit -S all -F auid!=-1
-a never,exit -S all -F auid!=0 -F auid<500
-a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
-a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
-a always,exclude -F msgtype=CWD

### auditctl -s:
AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
lost=0 backlog=0

### /etc/init.d/auditd status:
auditd (pid  4232) is running...

### grep -Hrn loginuid /etc/pam.d/:
/etc/pam.d/login:9:session    required     pam_loginuid.so
/etc/pam.d/sshd:9:session    required     pam_loginuid.so
/etc/pam.d/remote:9:session    required     pam_loginuid.so
/etc/pam.d/ssh-keycat:4:session    required     pam_loginuid.so

-----

MY QUESTION:
With the above listed configuration I still get audit.log entries with
auid=-1 including cron and anacron entries.

EXAMPLE AUDIT.LOG SNIPPET:
type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_ACQ msg=audit(1447748821.214:1370): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_START msg=audit(1447748821.215:1371): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=SYSCALL msg=audit(1447748821.215:1372): arch=c000003e syscall=59
success=yes exit=0 a0=7f24d92992d6 a1=7ffdc67f7a90 a2=7f24d9299340 a3=8
items=2 ppid=5863 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.215:1372): argc=3 a0="/bin/sh" a1="-c"
a2=636174202F6574632F736861646F7720263E2F6465762F6E756C6C
type=PATH msg=audit(1447748821.215:1372): item=0 name="/bin/sh"
inode=1045010 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.215:1372): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=SYSCALL msg=audit(1447748821.216:1373): arch=c000003e syscall=59
success=yes exit=0 a0=e388c0 a1=e38e20 a2=e37b00 a3=7ffc3c6a4a20 items=2
ppid=5865 pid=5866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cat" exe="/bin/cat"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key="root-commands"
type=EXECVE msg=audit(1447748821.216:1373): argc=2 a0="cat" a1="/etc/shadow"
type=PATH msg=audit(1447748821.216:1373): item=0 name="/bin/cat"
inode=1044629 dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bin_t:s0 nametype=NORMAL
type=PATH msg=audit(1447748821.216:1373): item=1 name=(null) inode=1044483
dev=08:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=CRED_DISP msg=audit(1447748821.217:1374): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_END msg=audit(1447748821.217:1375): user pid=5863 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'

What am I missing or doing wrong? I also tried working with pam_tty_audit
and aureport --tty but that is too detailed as every keypress gets logged.

Cheers,
Orhan

[-- Attachment #1.2: Type: text/html, Size: 5051 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: filtering system calls with auid -1

[Steve Grubb]

On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> My aim is to audit only commands executed by root (interactively) and avc
> denied messages (selinux)

I have some questions to help clarify. Command executed by root, or the root 
user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1. (the 
audit system treats all uid as unsigned numbers therefore auid = -1 is a large 
unsigned number.)

Also when you say commands, what do you mean? What root types on the console? 
What if that is a shell script that in turn executes many other programs and 
scripts?


> Some details about my audit-test-system and current audit configuration.

<snip> 

> ### auditctl -l:
> -a never,exit -S all -F auid!=-1

This says you want to mark all user processes permanently unauditable.

> -a never,exit -S all -F auid!=0 -F auid<500

I don't think this adds anything because the previous one includes this.

> -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands

Now you want execve run by anything that's not a user, meaning cron jobs and 
system services.

> -a always,exclude -F msgtype=CWD

And this says you don't care about reconstructing relative paths. 


> ### auditctl -s:
> AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> lost=0 backlog=0
> 
> ### /etc/init.d/auditd status:
> auditd (pid  4232) is running...
> 
> ### grep -Hrn loginuid /etc/pam.d/:
> /etc/pam.d/login:9:session    required     pam_loginuid.so
> /etc/pam.d/sshd:9:session    required     pam_loginuid.so
> /etc/pam.d/remote:9:session    required     pam_loginuid.so
> /etc/pam.d/ssh-keycat:4:session    required     pam_loginuid.so
> 
> -----
> 
> MY QUESTION:
> With the above listed configuration I still get audit.log entries with
> auid=-1 including cron and anacron entries.

Based on your rules, you are getting exactly what you programmed it to do.

 
> EXAMPLE AUDIT.LOG SNIPPET:
> type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> auid=4294967295 ses=4294967295

<snip>
 
> What am I missing or doing wrong? I also tried working with pam_tty_audit
> and aureport --tty but that is too detailed as every keypress gets logged.

Sudo will log every command run through it. Maybe that is closer? The execve 
approach will log everything, but it will also log all subscripts that are run 
as a result of what's entered on the command line. That would be:

-a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0

No other rules.

-Steve

Re: filtering system calls with auid -1

[ocakan]

[-- Attachment #1.1: Type: text/plain, Size: 4941 bytes --]

Hello Steve!

Thank you for your feedback. Somehow I still do not fully understand how
the filtering with -F works.

Regarding your questions: commands executed by root user, including
subshells, subcmds from script are fine for me.

I altered my audit.rules as you suggested to the following, no other rules:
auditctl -l:
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0

I get entries from crond like the following in audit.log:
type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'

What I do not get now are commands executed as root user from ptsX/ttyX.

root@myhost ~# cat /etc/passwd # no audit entry
root@myhost ~# service rsyslog stop # no audit entry
root@myhost ~# less /var/log/audit/audit.log # no audit entry
root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE
entry

Cheers,
Orhan


2015-11-17 20:55 GMT+01:00 Steve Grubb <sgrubb@redhat.com>:

> On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> > My aim is to audit only commands executed by root (interactively) and avc
> > denied messages (selinux)
>
> I have some questions to help clarify. Command executed by root, or the
> root
> user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1.
> (the
> audit system treats all uid as unsigned numbers therefore auid = -1 is a
> large
> unsigned number.)
>
> Also when you say commands, what do you mean? What root types on the
> console?
> What if that is a shell script that in turn executes many other programs
> and
> scripts?
>
>
> > Some details about my audit-test-system and current audit configuration.
>
> <snip>
>
> > ### auditctl -l:
> > -a never,exit -S all -F auid!=-1
>
> This says you want to mark all user processes permanently unauditable.
>
> > -a never,exit -S all -F auid!=0 -F auid<500
>
> I don't think this adds anything because the previous one includes this.
>
> > -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> > -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
>
> Now you want execve run by anything that's not a user, meaning cron jobs
> and
> system services.
>
> > -a always,exclude -F msgtype=CWD
>
> And this says you don't care about reconstructing relative paths.
>
>
> > ### auditctl -s:
> > AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> > lost=0 backlog=0
> >
> > ### /etc/init.d/auditd status:
> > auditd (pid  4232) is running...
> >
> > ### grep -Hrn loginuid /etc/pam.d/:
> > /etc/pam.d/login:9:session    required     pam_loginuid.so
> > /etc/pam.d/sshd:9:session    required     pam_loginuid.so
> > /etc/pam.d/remote:9:session    required     pam_loginuid.so
> > /etc/pam.d/ssh-keycat:4:session    required     pam_loginuid.so
> >
> > -----
> >
> > MY QUESTION:
> > With the above listed configuration I still get audit.log entries with
> > auid=-1 including cron and anacron entries.
>
> Based on your rules, you are getting exactly what you programmed it to do.
>
>
> > EXAMPLE AUDIT.LOG SNIPPET:
> > type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> > auid=4294967295 ses=4294967295
>
> <snip>
>
> > What am I missing or doing wrong? I also tried working with pam_tty_audit
> > and aureport --tty but that is too detailed as every keypress gets
> logged.
>
> Sudo will log every command run through it. Maybe that is closer? The
> execve
> approach will log everything, but it will also log all subscripts that are
> run
> as a result of what's entered on the command line. That would be:
>
> -a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> -a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0
>
> No other rules.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 6229 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: filtering system calls with auid -1

[Steve Grubb]

On Wednesday, November 18, 2015 03:54:58 PM ocakan wrote:
> Hello Steve!
> 
> Thank you for your feedback. Somehow I still do not fully understand how
> the filtering with -F works.
> 
> Regarding your questions: commands executed by root user, including
> subshells, subcmds from script are fine for me.

OK.

> I altered my audit.rules as you suggested to the following, no other rules:
> auditctl -l:

You can add a key to this if you like, -F key=root-commands


> -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> 
> I get entries from crond like the following in audit.log:

Cron entries hit the user filter. If you were using selinux, you could write a 
rule like this:

-a user,never -F subj_type=crond_t



> type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> 
> What I do not get now are commands executed as root user from ptsX/ttyX.
> 
> root@myhost ~# cat /etc/passwd # no audit entry
> root@myhost ~# service rsyslog stop # no audit entry
> root@myhost ~# less /var/log/audit/audit.log # no audit entry
> root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE
> entry

Check to see what your loginuid is:

# cat /proc/self/loginuid

-Steve

Re: filtering system calls with auid -1

[ocakan]

[-- Attachment #1.1: Type: text/plain, Size: 903 bytes --]

Hello Steve!

OK, the last puzzle peace was loginuid=0 !! -.-

My current audit rules for the use-case "logging root user actions, without
too much noise"
#
# delete all rules
-D
# set backlog_limit, default=320
-b 8192

# do not audit cron jobs
-a user,never -F subj_type=crond_t
-a exit,never -F subj_type=crond_t

# audit root actions from users switching to root
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-k root-commands
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k
root-commands

# audit root actions with loginuid root
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
-a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands
#EOF

Thank you for the tips. I wonder how you manage doing all that great stuff
and still be able to find time supporting people. Great job!

Best regards,
Orhan

[-- Attachment #1.2: Type: text/html, Size: 1463 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]