From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
To: "warron.french" <warron.french@gmail.com>,
Steve Grubb <sgrubb@redhat.com>
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: RE: [EXT] Re: The format of password change audit events seems to have changed, Can you confirm the correct record type ?
Date: Fri, 9 Jul 2021 14:22:18 +0000 [thread overview]
Message-ID: <1823e6d3090d4c278d020effe1f4e6a0@APLEX10.dom1.jhuapl.edu> (raw)
In-Reply-To: <CAJdJdQmq4npG+7ez0Euq8Qza8VoRZB3MsQ5wJ0xTzKO+VTO-yA@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2262 bytes --]
Warren, I missed this part of your message.
>> This is an interesting topic.
>> Please, can you tell me what audit rule you are using that generates such records about root's (or any other account's) password change?
I double checked the rules on a different RHEL 7.9 system , and it looks like we are only picking up password change attempts for accts in the user space, but not root, so if the password was changed directly from a root login rather than via sudo from another acct, we probably won’t see some of the related audit records.
This is the rule I believe is picking up password change events:
–a always,exit –F path=/usr/bin/passwd –F per=x –F auid>=1000 auid!=4294967295 –k privileged passwd
There are also a specific watches on /etc/shadow and gshadow:
-w /etc/shadow –p wa –k identity
I just attempted , from a non-priv acct, to change the root passwd, and I see the following relevant audit records key-value pairs :
This shows I successfully ran the passwd command and that the root acct was targeted ,
type=PROCTITLE ... proctitle=passwd root ...
type=PATH name=/usr/bin/passwd
type=SYSCALL ... comm=passwd exe=/usr/bin/passwd success=yes key=setuid
This shows that a password change was attempted and failed, but doesn’t seem to correctly indicate that the root acct was targeted (id=myusername, not root):
Type=USER_CHAUTHOK auid=myusername msg=’op=attempted-to-change-password id=myusername exe=/usr/bin/passwd res=failed
So... based on this, unless the patch versions are a bit different between the two RHEL7.9 systems I’ve been looking at, it looks like you are actually generating a reasonable message when a password change is attempted, but we probably need to make sure we are picking up all password changes, not just those in the user space.
I unfortunately don’t have permission to change the audit rules, but will see if I can the SA to test this for me. If you are able to test in your environment and can confirm my findings, that would be wonderful, but I think we probably found our smoking gun, LOL.
Thanks so much,
Karen Wiepecht
[-- Attachment #1.2: Type: text/html, Size: 8984 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-07-09 14:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-08 18:19 The format of password change audit events seems to have changed, Can you confirm the correct record type ? Wieprecht, Karen M.
2021-07-08 19:23 ` Steve Grubb
2021-07-08 22:53 ` warron.french
2021-07-09 0:46 ` Richard Guy Briggs
2021-07-09 12:06 ` warron.french
2021-07-09 13:18 ` [EXT] " Wieprecht, Karen M.
2021-07-09 14:22 ` Wieprecht, Karen M. [this message]
2021-07-10 14:57 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1823e6d3090d4c278d020effe1f4e6a0@APLEX10.dom1.jhuapl.edu \
--to=karen.wieprecht@jhuapl.edu \
--cc=Linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
--cc=warron.french@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).