audit 2.0.4 auid problem

audit 2.0.4 auid problem

[Jean-Francois Vincent]

[-- Attachment #1.1: Type: text/plain, Size: 1725 bytes --]

Hello,



I've compiled audit audit-2.0.4 on our linux from scratch version.

Heres is the log of the command date issued by the user "system"  :

 May 27 10:20:36 doma audispd: node=doma type=SYSCALL
msg=audit(1274948436.000:57884): arch=c000003e syscall=59 success=yes exit=0
a0=6cf250 a1=6cf730 a2=6cf510 a3=0 items=2 ppid=26772 pid=27006
auid=4294967295 uid=1000 gid=19 euid=1000 suid=1000 fsuid=1000 egid=19
sgid=19 fsgid=19 tty=tty1 comm="date" exe="/bin/date" key=(null)

May 27 10:20:36 doma audispd: node=doma type=EXECVE
msg=audit(1274948436.000:57884): a0="date"

May 27 10:20:36 doma audispd: node=doma type=PATH
msg=audit(1274948436.000:57884): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00



Here's the same report of the date command after the user "system" changed
its id using sudo su - :



May 27 10:22:13 doma audispd: node=doma type=SYSCALL
msg=audit(1274948533.407:58095): arch=c000003e syscall=59 success=yes exit=0
a0=6d4b20 a1=6d4ff0 a2=6d4de0 a3=0 items=2 ppid=27175 pid=27181
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty1 comm="date" exe="/bin/date" key=(null)

May 27 10:22:13 doma audispd: node=doma type=EXECVE
msg=audit(1274948533.407:58095): a0="date"

May 27 10:22:13 doma audispd: node=doma type=PATH
msg=audit(1274948533.407:58095): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00



1 ) Is there any bug with auid always set to  4294967295 ?

 2) I've also searched for logging commands specifics to a TTY but it seems
auditd cannot filter on one specific TTY. I've looking for auditctl -F
options but I don't see any TTY filtering option. Is it possible ?


Regards

JF Vincent

[-- Attachment #1.2: Type: text/html, Size: 2068 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit 2.0.4 auid problem

[Steve Grubb]

On Thursday, June 03, 2010 09:55:35 am Jean-Francois Vincent wrote:
> 1 ) Is there any bug with auid always set to  4294967295 ?

You need pam_loginuid added to crond, gdm, login, kdm, sshd, vsftpd, or any 
pamified entry point daemon. (but not sudo or su.)


>  2) I've also searched for logging commands specifics to a TTY but it seems
> auditd cannot filter on one specific TTY. I've looking for auditctl -F
> options but I don't see any TTY filtering option. Is it possible ?

Look for pam_tty_audit man page.

-Steve

Re: audit 2.0.4 auid problem

[Jean-Francois Vincent]

[-- Attachment #1.1: Type: text/plain, Size: 1254 bytes --]

I would like to audit specifically interactive actions taken from the
console ttys (ttyS0,ttyS1,tty-1-6) and I've just discovered the /bin/login
we use here was compiled without PAM libs. So I guess I will not be able to
get auid nor TTY auditing...

By the way is there any way/future way to filter on TTY (at least just for
syscalls where the tty= appears in) using auditctl -F option ? It seems -F
includes a lot of objects but not tty ?

Regards

JF


> -----Message d'origine-----
> De : Steve Grubb [mailto:sgrubb@redhat.com]
> Envoyé : jeudi 3 juin 2010 16:30
> À : linux-audit@redhat.com
> Cc : Jean-Francois Vincent
> Objet : Re: audit 2.0.4 auid problem
>
> On Thursday, June 03, 2010 09:55:35 am Jean-Francois Vincent wrote:
> > 1 ) Is there any bug with auid always set to  4294967295 ?
>
> You need pam_loginuid added to crond, gdm, login, kdm, sshd, vsftpd, or any
> pamified entry point daemon. (but not sudo or su.)
>
>
> >  2) I've also searched for logging commands specifics to a TTY but it
> seems
> > auditd cannot filter on one specific TTY. I've looking for auditctl -F
> > options but I don't see any TTY filtering option. Is it possible ?
>
> Look for pam_tty_audit man page.
>
> -Steve
>
>

[-- Attachment #1.2: Type: text/html, Size: 1627 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]