From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: ausearch --text : missing information Date: Mon, 18 Sep 2017 17:45:46 -0400 Message-ID: <1743812.PKs7bUkaIq@x2> References: <3D2AB1326AB2974190FCE3F69401F7900102F2B4B2F2@FRVDX103.fr01.awl.atosorigin.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <3D2AB1326AB2974190FCE3F69401F7900102F2B4B2F2@FRVDX103.fr01.awl.atosorigin.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Maupertuis Philippe List-Id: linux-audit@redhat.com On Monday, August 21, 2017 12:01:43 PM EDT Maupertuis Philippe wrote: > Hi, > I was toying with the audit pci configuration. > I opened a root session with sudo in which I just typed C-r nss to retrieve > the command "less /etc/nsswitch.conf" from the bash_history. The text > format, as shown below, doesn't handle correctly the tty_audit > information. Is it a known limitation ? > > Ausearch format text > On yppcil51s.sys.meshcore.net at 10:23:34 21/08/17 fr18358, acting as root, > successfully changed-identity-of /usr/bin/sudo using setresuid On > yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as root, > typed On yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as > root, did-unknown On yppcil51s.sys.meshcore.net at 10:24:14 21/08/17 > fr18358, acting as root, successfully ended-session /dev/pts/0 Yes, this was an omission. I checked in code that support TTY auditing today. > Ausearch -I format raw > ---- > node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(21/08/17 > 10:23:34.400:20501) : proctitle=sudo -i node=yppcil51s.sys.meshcore.net > type=SYSCALL msg=audit(21/08/17 10:23:34.400:20501) : arch=x86_64 > syscall=setresuid success=yes exit=0 a0=root a1=root a2=root > a3=0x7fab09de8300 items=0 ppid=20742 pid=20743 auid=fr18358 uid=root > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root > tty=pts0 ses=1287 comm=sudo exe=/usr/bin/sudo > key=10.2.5.b-elevated-privs-session ---- > node=yppcil51s.sys.meshcore.net type=USER_TTY msg=audit(21/08/17 > 10:24:08.661:20503) : pid=20743 uid=root auid=fr18358 ses=1287 data="less > /etc/nsswitch.conf" ---- > node=yppcil51s.sys.meshcore.net type=TTY msg=audit(21/08/17 > 10:24:08.661:20502) : tty pid=20743 uid=root auid=fr18358 ses=1287 > major=136 minor=0 comm=bash data=<^R>,"nss", ---- > node=yppcil51s.sys.meshcore.net type=USER_END msg=audit(21/08/17 > 10:24:14.479:20506) : pid=20742 uid=root auid=fr18358 ses=1287 > msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct=root > exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/0 res=success' > > ausearch format raw > node=yppcil51s.sys.meshcore.net type=SYSCALL > msg=audit(1503303814.394:20497): arch=c000003e syscall=117 success=yes > exit=0 a0=0 a1=ffffffff a2=ffffffff a3=7fab09de8300 items=0 ppid=20717 > pid=20742 auid=3318358 uid=0 gid=20599 euid=0 suid=0 fsuid=0 egid=20599 > sgid=20599 fsgid=20599 tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo" > key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid > AUID="fr18358" UID="root" GID="nobody" EUID="root" SUID="root" FSUID="root" > EGID="nobody" SGID="nobody" FSGID="nobody" node=yppcil51s.sys.meshcore.net > type=PROCTITLE msg=audit(1503303814.394:20497): proctitle=7375646F002D69 > node=yppcil51s.sys.meshcore.net type=SYSCALL > msg=audit(1503303814.400:20501): arch=c000003e syscall=117 success=yes > exit=0 a0=0 a1=0 a2=0 a3=7fab09de8300 items=0 ppid=20742 pid=20743 > auid=3318358 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo" > key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid > AUID="fr18358" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" > EGID="root" SGID="root" FSGID="root" node=yppcil51s.sys.meshcore.net > type=PROCTITLE msg=audit(1503303814.400:20501): proctitle=7375646F002D69 > node=yppcil51s.sys.meshcore.net type=USER_TTY > msg=audit(1503303848.661:20503): pid=20743 uid=0 auid=3318358 ses=1287 > data=6C657373202F6574632F6E737377697463682E636F6E66UID="root" > AUID="fr18358" > > Additionally, I noticed that ausearch -f /etc/nsswitch.conf doesn't return > anything. It may be working as expected but I doubt it would be very usable > to find out who fiddled with a file. The -f option picks the file name out of PATH records. It has no way to know that anything being typed on a console happens to be a file name. -Steve > Has someone on the list successfully used the PCI rules in an actual PCI > audit ? > > Philippe > > !!!************************************************************************* > ************ "Ce message et les pi?ces jointes sont confidentiels et > r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre > prot?g? par le secret professionnel. Si vous recevez ce message par erreur, > merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. > L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la > responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de > ce message. Bien que les meilleurs efforts soient faits pour maintenir > cette transmission exempte de tout virus, l'exp?diteur ne donne aucune > garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour > tout dommage r?sultant d'un virus transmis. > > This e-mail and the documents attached are confidential and intended solely > for the addressee; it may also be privileged. If you receive this e-mail in > error, please notify the sender immediately and destroy it. As its > integrity cannot be secured on the Internet, the Worldline liability cannot > be triggered for the message content. Although the sender endeavours to > maintain a computer virus-free network, the sender does not warrant that > this transmission is virus-free and will not be liable for any damages > resulting from any virus transmitted.!!!"