Logging from where user connected?

Logging from where user connected?

[Skwar Alexander]

Hello

On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
and v2.4.5), we'd like to log all the commands that root has run, or
that were run as root.

For that, I added the following rules:

# Log all commands run as (or by) root
-a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
-a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root

When I now do an "ausearch -k exec_root -i", I get:

…

----
type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=1 
name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755 
ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=0 
name=/usr/bin/sudo inode=396945 dev=fc:01 mode=file,suid,755 ouid=root 
ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(20.06.2016 15:28:06.976:65023) :  cwd=/home/local
type=EXECVE msg=audit(20.06.2016 15:28:06.976:65023) : argc=5 a0=sudo 
a1=ausearch a2=-k a3=exec_root a4=-i
type=BPRM_FCAPS msg=audit(20.06.2016 15:28:06.976:65023) : fver=0 
fp=none fi=none fe=none old_pp=none old_pi=none old_pe=none 
new_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend 
new_pi=none 
new_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend 

type=SYSCALL msg=audit(20.06.2016 15:28:06.976:65023) : arch=x86_64 
syscall=execve success=yes exit=0 a0=0x7fff4981a280 a1=0x7f7482187bd8 
a2=0x1bfcf40 a3=0x7fff49819e80 items=2 ppid=11261 pid=14093 auid=local 
uid=local gid=local euid=root suid=root fsuid=root egid=local sgid=local 
fsgid=local tty=pts1 ses=15 comm=sudo exe=/usr/bin/sudo key=exec_root
----
type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=1 
name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755 
ouid=root ogid=root rdev=00:00 nametype=NORMAL
type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=0 
name=/sbin/ausearch inode=618 dev=fc:01 mode=file,755 ouid=root 
ogid=root rdev=00:00 nametype=NORMAL
type=CWD msg=audit(20.06.2016 15:28:06.980:65025) :  cwd=/home/local
type=EXECVE msg=audit(20.06.2016 15:28:06.980:65025) : argc=4 
a0=ausearch a1=-k a2=exec_root a3=-i
type=SYSCALL msg=audit(20.06.2016 15:28:06.980:65025) : arch=x86_64 
syscall=execve success=yes exit=0 a0=0x7fc01c0e0618 a1=0x7fc01c0e0638 
a2=0x7fc01c0e5cd0 a3=0x7fff84d454c0 items=2 ppid=14093 pid=14094 
auid=local uid=root gid=root euid=root suid=root fsuid=root egid=root 
sgid=root fsgid=root tty=pts1 ses=15 comm=ausearch exe=/sbin/ausearch 
key=exec_root




Now I'd like to know, from where that user connected. That user is
on tty=pts1, so do I have to use last?

local@app01-test ~ % last pts/1
local    pts/1        10.8.0.1         Mon Jun 20 13:26   still logged in
…



That's fine, as long as /var/log/wtmp* exists. But is there maybe a
way to get that information right away, without having to consult a
different logfile (eg. /var/log/wtmp)?



Additionally, if I'd like auditd to do remote logging (ie. send
logs off of the system), I'd have to use audispd, wouldn't I? How
would I then get hold of the right wtmp file? I've got the feeling,
that this might become quite complicated, if numerous servers would
do remote logging to one central system...

Would be quite thankful, if somebody could help :)

Thanks a lot,
Alexander

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Logging from where user connected?

[Steve Grubb]

On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
> and v2.4.5), we'd like to log all the commands that root has run, or
> that were run as root.
> 
> For that, I added the following rules:
> 
> # Log all commands run as (or by) root
> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root

That will also get daemon child processes. Normally you would want to separate 
routine system activity from user initiated activity.
 
> When I now do an "ausearch -k exec_root -i", I get:
> 
> …

<snip>



> Now I'd like to know, from where that user connected. That user is
> on tty=pts1, so do I have to use last?

Nope. This was thought about long ago.


> local@app01-test ~ % last pts/1
> local    pts/1        10.8.0.1         Mon Jun 20 13:26   still logged in
> …
> 
> 
> 
> That's fine, as long as /var/log/wtmp* exists. But is there maybe a
> way to get that information right away, without having to consult a
> different logfile (eg. /var/log/wtmp)?
 
This has been long considered a user space post processing issue. When someone 
logs in, a series of events occur. You can find the description here:

https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events

Near the beginning you get  USER_AUTH which is recorded by pam and it has the 
IP address or terminal if it were a console.

There is a program, aulast, which tracks the sessions. It does show the origin 
of the user session. Also, if you give it the --proof commandline option, it 
will give you the ausearch command to examine the whole session.

 
> Additionally, if I'd like auditd to do remote logging (ie. send
> logs off of the system), I'd have to use audispd, wouldn't I?

Yes.

> How would I then get hold of the right wtmp file?

You don't need it.

-Steve

> I've got the feeling, that this might become quite complicated, if numerous
> servers would do remote logging to one central system...
> 
> Would be quite thankful, if somebody could help :)
> 
> Thanks a lot,
> Alexander
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Logging from where user connected?

[Skwar Alexander]

Hello Steve and all :)


Am 20.06.2016 um 17:32 schrieb Steve Grubb:
 > On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
 >> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
 >> and v2.4.5), we'd like to log all the commands that root has run, or
 >> that were run as root.
 >>
 >> For that, I added the following rules:
 >>
 >> # Log all commands run as (or by) root
 >> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
 >> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
 >
 > That will also get daemon child processes. Normally you would want to 
separate
 > routine system activity from user initiated activity.

Yeah, by now, I figured as much :) It's really logging quite a lot.
These two rules can be found on a lot of places, eg. here 
http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers
and there 
http://linux-audit.com/pci-dss-logging-of-administrative-actions-with-root-privileges/

What would be a better configuration? I now have changed it to:

# Log all commands run AS root
-a exit,always -F arch=b64 -F euid=0 -F auid!=0 -S execve -k exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid!=0 -S execve -k exec_as_root

Thanks a lot for the pointer to aulast. That was very helpful.

Cheers,
Alexander

Re: Logging from where user connected?

[Steve Grubb]

On Wednesday, June 22, 2016 08:21:27 AM Skwar Alexander wrote:
> Hello Steve and all :)
> 
> Am 20.06.2016 um 17:32 schrieb Steve Grubb:
>  > On Monday, June 20, 2016 03:54:02 PM Skwar Alexander wrote:
>  >> On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2
>  >> and v2.4.5), we'd like to log all the commands that root has run, or
>  >> that were run as root.
>  >> 
>  >> For that, I added the following rules:
>  >> 
>  >> # Log all commands run as (or by) root
>  >> -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root
>  >> -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root
>  > 
>  > That will also get daemon child processes. Normally you would want to
>  > separate routine system activity from user initiated activity.
> 
> Yeah, by now, I figured as much :) It's really logging quite a lot.
> These two rules can be found on a lot of places, eg. here
> http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-pr
> oduction-servers and there
> http://linux-audit.com/pci-dss-logging-of-administrative-actions-with-root-p
> rivileges/
> 
> What would be a better configuration? I now have changed it to:
> 
> # Log all commands run AS root
> -a exit,always -F arch=b64 -F euid=0 -F auid!=0 -S execve -k exec_as_root
> -a exit,always -F arch=b32 -F euid=0 -F auid!=0 -S execve -k exec_as_root

-a exit,always -F arch=b64 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k exec_as_root
-a exit,always -F arch=b32 -F euid=0 -F auid>1000 -F auid!=unset -S execve -k exec_as_root

That is assuming that users start at 1000. you are still going to get a lot
because you might run a shell script which runs hundreds of more shell scripts
and commands.

What some people decide on is to use the keystroke logging so that they can
see just the high level commands.

-Steve