USER_CMD

USER_CMD

[Chris Nandor]

[-- Attachment #1.1: Type: text/plain, Size: 63 bytes --]

How does one get USER_CMD records into the audit.log?

--Chris

[-- Attachment #1.2: Type: text/html, Size: 123 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: USER_CMD

[Steve Grubb]

On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> How does one get USER_CMD records into the audit.log?

The sudo command is the usual way.

-Steve

Re: USER_CMD

[Chris Nandor]

[-- Attachment #1.1: Type: text/plain, Size: 473 bytes --]

Sorry, I guess I should have been more clear ... what sort of rule would
make it show up?  I'm not seeing it.

On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> > How does one get USER_CMD records into the audit.log?
>
> The sudo command is the usual way.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 972 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: USER_CMD

[Steve Grubb]

On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> Sorry, I guess I should have been more clear ... what sort of rule would
> make it show up?  I'm not seeing it.

Its hardwired. You don't need to add a rule. The rules that you add always 
result in SYSCALL events. You should also add a key to every rule as a 
reminder of what it means. So, any SYSCALL event that does not have a key is 
trigger by something else like a SELinux AVC.

-Steve

> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> > > How does one get USER_CMD records into the audit.log?
> > 
> > The sudo command is the usual way.
> > 
> > -Steve
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit

Re: USER_CMD

[Chris Nandor]

So how do I get it then?  I found a 9-year old mail from you about bash --audit and aubash but that isn't working for me.

> On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb@redhat.com> wrote:
> 
>> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
>> Sorry, I guess I should have been more clear ... what sort of rule would
>> make it show up?  I'm not seeing it.
> 
> Its hardwired. You don't need to add a rule. The rules that you add always 
> result in SYSCALL events. You should also add a key to every rule as a 
> reminder of what it means. So, any SYSCALL event that does not have a key is 
> trigger by something else like a SELinux AVC.
> 
> -Steve
> 
>>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
>>>> How does one get USER_CMD records into the audit.log?
>>> 
>>> The sudo command is the usual way.
>>> 
>>> -Steve
>>> 
>>> --
>>> Linux-audit mailing list
>>> Linux-audit@redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
> 
> 

Re: USER_CMD

[Steve Grubb]

On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote:
> So how do I get it then?

You just run a command under sudo and it does it. There is a chance that your 
copy of sudo does not have auditing enabled. You can try using ldd to see if 
its linked to the audit libraries. If not, then its not supported.

-Steve

> I found a 9-year old mail from you about bash
> --audit and aubash but that isn't working for me.
> > On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb@redhat.com> wrote:
> >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> >> Sorry, I guess I should have been more clear ... what sort of rule would
> >> make it show up?  I'm not seeing it.
> > 
> > Its hardwired. You don't need to add a rule. The rules that you add always
> > result in SYSCALL events. You should also add a key to every rule as a
> > reminder of what it means. So, any SYSCALL event that does not have a key
> > is trigger by something else like a SELinux AVC.
> > 
> > -Steve
> > 
> >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> >>>> How does one get USER_CMD records into the audit.log?
> >>> 
> >>> The sudo command is the usual way.
> >>> 
> >>> -Steve
> >>> 
> >>> --
> >>> Linux-audit mailing list
> >>> Linux-audit@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/linux-audit

Re: USER_CMD

[Chris Nandor]

[-- Attachment #1.1: Type: text/plain, Size: 1941 bytes --]

Ah, I see.  I didn't get that it was sudo itself doing it (assuming it was
linked to libaudit).  Yes, in 12.04, libaudit is not part of the base
system.  I've tried it in a vagrant box under 16.04, ldd reports libaudit
is linked, and it works fine there.

I think we'll just skip pam_tty_audit (since it records passwords on
12.04's kernel) and USER_CMD on our 12.04 boxes.

Thanks!


On Thu, Jul 14, 2016 at 12:50 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote:
> > So how do I get it then?
>
> You just run a command under sudo and it does it. There is a chance that
> your
> copy of sudo does not have auditing enabled. You can try using ldd to see
> if
> its linked to the audit libraries. If not, then its not supported.
>
> -Steve
>
> > I found a 9-year old mail from you about bash
> > --audit and aubash but that isn't working for me.
> > > On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb@redhat.com> wrote:
> > >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> > >> Sorry, I guess I should have been more clear ... what sort of rule
> would
> > >> make it show up?  I'm not seeing it.
> > >
> > > Its hardwired. You don't need to add a rule. The rules that you add
> always
> > > result in SYSCALL events. You should also add a key to every rule as a
> > > reminder of what it means. So, any SYSCALL event that does not have a
> key
> > > is trigger by something else like a SELinux AVC.
> > >
> > > -Steve
> > >
> > >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> > >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> > >>>> How does one get USER_CMD records into the audit.log?
> > >>>
> > >>> The sudo command is the usual way.
> > >>>
> > >>> -Steve
> > >>>
> > >>> --
> > >>> Linux-audit mailing list
> > >>> Linux-audit@redhat.com
> > >>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 3029 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]