auid = unset

auid = unset

[Joshua Ammons]

[-- Attachment #1.1: Type: text/plain, Size: 489 bytes --]

Hello, I just wanted to see if anyone has had much success with configuring redhat systems to reduce and/or eliminate the occurrence of auid = unset in the audit events?  I found the following redhat article that provides a fix by updating a grub setting for auditd but this doesn't seem to have much of an effect, as I still see large number of unset values in the logs.

https://access.redhat.com/solutions/971883

Thank you in advance for any information you may have on this.



[-- Attachment #1.2: Type: text/html, Size: 2449 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auid = unset

[Steve Grubb]

On Friday, May 3, 2019 3:31:39 PM EDT Joshua Ammons wrote:
> Hello, I just wanted to see if anyone has had much success with configuring
> redhat systems to reduce and/or eliminate the occurrence of auid = unset
> in the audit events?

auid = unset is a natural thing. Typically it indicates that a daemon has 
tripped over an audit rule. If you are seeing auid = unset by actions that 
you know a user caused, then you really want to find out how they logged in. 
You may have an entry point daemon that is not audit friendly. For example, 
login, sshd, gdm, kdm have all be modified to call the audit_setloginuid90 
function.


> I found the following redhat article that provides a
> fix by updating a grub setting for auditd but this doesn't seem to have
> much of an effect, as I still see large number of unset values in the
> logs.

It does. But maybe not how you think it would. You need to boot with audit=1 
and audit_backlog_limit=8192 (or some number). The first setting makes sure 
that every process that gets launched is auditable. If this is not set, then 
there can be processes that would cause audit events but will never ever be 
detected. So, this is important. The second setting ensures that backlog is 
big enough to hold events until the audit daemon starts. Otherwise you can 
lose some events during boot.

> https://access.redhat.com/solutions/971883
> 
> Thank you in advance for any information you may have on this.

Check you events and see what process is causing them:

ausearch --start today --loginuid unset --raw | aureport -x --summary

See if this is mostly daemons or scripts run on behalf of daemons. The fix 
might be to alter the audit rules to avoid daemon activity. This is what the 
-F auid>=1000 -F auid!=unset does in the shipped sample rules. And this is 
completely expected that daemon activity auid == unset.

If these are from user sessions, check how they get into the system. 
Something seems wrong there. 

-Steve

auid unset

[Kirkwood, David A.]

Hi,

 

I need some help with configuration. First, I do not remember how to
tell the version of the auditd I am running. I tried to get it by
pulling strings with no success. The larger problem is I am configuring
a RHEL4U5 system. I have a RHEL4U4 system that runs correctly and
supplies the AUID when specified with aureport. The RHEL4U5 system has
this parameter as "unset" rather than the AUID or uid or anything else
to identify who was attempting to run failed commands. 

If someone can help me with what needs to be set, I would appreciate it.
I compared all of the obvious files, such as all pam files, the
audit.rules, auditd.conf and syslog.conf and they all seem to be the
same.

Both systems run Linux 2.6.9-42.ELsmp.
 

Thanks in advance. 

 

David A. Kirkwood

Re: auid unset

[klausk]

[-- Attachment #1.1: Type: text/plain, Size: 923 bytes --]

> 
> I need some help with configuration. First, I do not remember how to
> tell the version of the auditd I am running. I tried to get it by
> pulling strings with no success. 

To identify the audit version you're running, you could use the package 
version+release or possibly something like
$ audearch -m DAEMON_START
Look for the last message and for the 'ver=' field.
 
> If someone can help me with what needs to be set, I would appreciate it.
> I compared all of the obvious files, such as all pam files, the
> audit.rules, auditd.conf and syslog.conf and they all seem to be the
> same.

Make sure you have 'session     required        pam_loginuid.so' entries 
in your pam configuration (/etc/pam.d/{atd,crond,login,remote,sshd})

restart system after that...

Klaus

-- 
Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]

[-- Attachment #1.2: Type: text/html, Size: 1379 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auid unset

[klausk]

[-- Attachment #1.1: Type: text/plain, Size: 290 bytes --]

> $ audearch -m DAEMON_START 

read that as $ausearch -m DAEMON_START

The best option would still be just 'rpm -q audit' and check the output

-- 
Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]

[-- Attachment #1.2: Type: text/html, Size: 473 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: auid unset

[Kirkwood, David A.]

Thanks Klaus,

The ausearch -m DAEMON_START returns version 1.0.14 for auditd on both systems. I grepped for loginuid.so in the pam.d directory and it appears in all of the same pam entries on both systems. 
No luck yet, however I appreciate your help.

David A. Kirkwood


>> 
>> I need some help with configuration. First, I do not remember how to
>> tell the version of the auditd I am running. I tried to get it by
>> pulling strings with no success. 
>
>To identify the audit version you're running, you could use the package version+release or possibly >something like 
>$ audearch -m DAEMON_START 
>Look for the last message and for the 'ver=' field. 
> 
>> If someone can help me with what needs to be set, I would appreciate it.
>> I compared all of the obvious files, such as all pam files, the
>> audit.rules, auditd.conf and syslog.conf and they all seem to be the
>> same.
>
>Make sure you have 'session        required        pam_loginuid.so' entries in your pam configuration >(/etc/pam.d/{atd,crond,login,remote,sshd}) 
>
>restart system after that... 

>Klaus 

>-- 
>Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
>Software Engineer
>IBM STG, Linux Technology Center
>Phone:(+55-19) 2132-1909 [T/L 839-1909]

Re: auid unset

[Steve Grubb]

On Thursday 06 December 2007 02:42:30 pm Kirkwood, David A. wrote:
> The ausearch -m DAEMON_START returns version 1.0.14 for auditd on both
> systems. I grepped for loginuid.so in the pam.d directory and it appears in
> all of the same pam entries on both systems. No luck yet, however I
> appreciate your help.

Do you have audit=1 as kernel boot option?

-Steve

RE: auid unset

[Kirkwood, David A.]

Thanks Steve. That worked. What I don't understand is that it is not in
the system that already worked.

Thanks again,

David A. Kirkwood

>On Thursday 06 December 2007 02:42:30 pm Kirkwood, David A. wrote:
>> The ausearch -m DAEMON_START returns version 1.0.14 for auditd on
both
>> systems. I grepped for loginuid.so in the pam.d directory and it
appears >>in
>> all of the same pam entries on both systems. No luck yet, however I
>> appreciate your help.

>Do you have audit=1 as kernel boot option?

>-Steve