Problem with audisp-prelude/auparse on Fedora 10

[Gary Smith <gary.smith@pnl.gov>]

[-- Attachment #1.1: Type: text/plain, Size: 7042 bytes --]

Hello All,

I've been working on getting audit/audisp-prelude/prelude set up on Fedora
10 and run into the situation where it appears that audisp-prelude is not
triggering on watched syscall event.

The system is running Fedora 10 with the 2.6.27.9-159.fc10 kernel and audit
and audispd-plugins 1.7.10 and the host of prelude software and libraries. I
followed Steve¹s HOWTO on installing and configuring audit and prelude and
got it all installed without difficulties. After the configuration, I
restarted auditd and saw that ausdispd and audisp-prelude were running and
so was prelude-manager and mysql. After starting up the prewikka-httpd and
pointed the web browser at the system, I tried a few things, like logging in
and out successfully and unsuccessfully. I was pleased to see that the
events pop up in the browser window. I did some more tests wherein I caused
programs to seg fault and these events got recorded too. Needless to say I
was impressed. Next I used the system-config-audit GUI tool to create some
watch point on files with the ids-type-severity set to get audisp-prelude¹s
attention. Here¹s the listing of the rules from auditctl ­l:

LIST_RULES: exit,always watch=/etc/shadow perm=rwxa key=ids-file-hi
LIST_RULES: exit,always watch=/bin/ping perm=x key=ids-exec-inf

I restarted auditd and ran ping. Nothing showed up in the browser window. I
ran ping again, several times. Nothing at all. I did some things to
/etc/shadow and nothing. I did an ausearch for the key=ids-exec-inf and got
something like this:

time->Wed Dec 31 13:42:53 2008
node=dr-who.timelord.com type=PATH msg=audit(1230759773.835:118): item=1
name=(null) inode=16564 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 node=dr-who.timelord.com type=PATH
msg=audit(1230759773.835:118): item=0 name="/bin/ping" inode=417854
dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ping_exec_t:s0
node=dr-who.timelord.com type=CWD msg=audit(1230759773.835:118):
cwd="/home/gsm
ith" node=dr-who.timelord.com type=EXECVE msg=audit(1230759773.835:118):
argc=4 a0="ping" a1="-c" a2="5" a3="10.0.2.2"
node=dr-who.timelord.com type=SYSCALL msg=audit(1230759773.835:118):
arch=40000003 syscall=11 success=yes exit=0 a0=94b4eb0 a1=94b3390 a2=94b9e20
a3=0 items=2 ppid=17687 pid=17773 auid=500 uid=500 gid=500 euid=0 suid=0
fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts3 ses=7 comm="ping"
exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0
key="ids-exec-info"

So, it looks like the records watch points are firing and getting into the
audit log.

Then I did and aureport ‹summary ­k

Key Summary Report
===========================
total  file
===========================
112  ids-file-hi
16  ids-exec-inf

So both ausearch and aureport can find the keys and interpret them.

Next, I did ausearch ‹raw ­k ids-file-hi > test.log and audisp-prelude ‹test
< ./test.log

Nothing happened. All I got was ³audisp-prelude is exiting on stop request².

I was confused about what was happening. Why do 2 program see the keys and
not the one other?

So I downloaded the source (audit-1.7.10.tar.gz) and rebuilt the audit
package with prelude. When I executed the locally built audisp-prelude as
above, I got the same result.

Looking thru the code, the file audisp_prelude.c has a function called
handle_watched_syscalls. After playing around with putting debug statements
into the code and reruning the test, over several runs, it looks like
auparse_find_field is not finding the ³key² field. The reason ausearch and
aureport can find the ³key² field is that they don¹t use auparse. I edited
the test.log file and moved the ³key² fields to the start of the record and
ran the test; no difference. Next, I modified the source to audisp-prelude.c
so that instead of looking for ³key² to introduce ³ids-² info,
handle_watched_syscalls would look for ³subj² instead (I picked this one
since I had seen that ausparse_find_field could find this field). I edited
the test.log to replace ³key=² with ³subj=² and reran the test. This time I
got output:

version: <empty>
alert:
        analyzer(0):
                analyzerid: 4123513432298101
                name: auditd
                manufacturer: Red Hat,
http://people.redhat.com/sgrubb/audit/
                model: auditd
                version: 1.7.10
                class: HIDS
                ostype: Linux
                osversion: 2.6.27.9-159.fc10.i686
                node:
                        category: unknown (0)
                        name: localhost.localdomain
                process:
                        name: lt-audisp-prelude
                        pid: 3661
                        path:
/home/gsmith/Projects/audit-1.7.10/audisp/plugins/prelude/.libs/lt-audisp-pr
elude
        create_time: 06/01/2009 15:28:34.312712 -08:00
        classification:
        detect_time: 31/12/2008 10:08:16.0 -08:00
        source(0): 
                spoofed: unknown (0)
                node:
                        category: hosts (6)
                        name: dr-who.timelord.com
                user:
                        category: application (1)
                        user_id(0):
                                type: original-user (0)
                                tty: pts1
                                name: gsmith
                                number: 500
                process:
                        name: ping
                        pid: 3391
                        path: /bin/ping
        target(0): 
                decoy: unknown (0)
                node:
                        category: hosts (6)
                        name: dr-who.timelord.com
                file(0):                 text: Watched Executable
                        name: ping
                        path: /bin/ping
                        category: current (1)
        assessment:
                impact:
                        severity: info (1)
                        completion: succeeded (2)
                        type: user (5)
                        description: A user has attempted to execute a
program t
hat is being watched.
        additional_data(0):
                type: string (0)
                meaning: Execve args
                data: a0=ping a1=-c a2=5 a3=10.0.2.2
        additional_data(1):
                type: string (0)
                meaning: Audit event serial #
                data: 66

Looking further, I found auparse_find_next calls nvlist_find_name in
nvlist.c. I added some debug statements to nvlist_find_name, and it seems to
never compare its linked list of names to against ³key². So, I¹m guessing
that the linked list is not built correctly.

So, have I been barking up the wrong tree on why audisp-prelude does not
trigger on ³key=ids-² type of fields? Any comments would be greatly
appreciated.

Best regards,

Gary Smith


[-- Attachment #1.2: Type: text/html, Size: 13529 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]