From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
Subject: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 08:38:33 -0500
Message-ID: <954E3479CC27224785179CA04904214D1416CC@0668-its-exmp01.us.saic.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0204987477=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id kBMDckuB007285
	for <linux-audit@redhat.com>; Fri, 22 Dec 2006 08:38:46 -0500
Received: from mclmx.mail.saic.com (mclmx.mail.saic.com [149.8.64.10])
	by mx2.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	kBMDcjVS011754
	for <linux-audit@redhat.com>; Fri, 22 Dec 2006 08:38:45 -0500
Received: from 0015-its-ieg02.mail.saic.com ([149.8.64.21] [149.8.64.21]) by
	mclmx.mail.saic.com for linux-audit@redhat.com;
	Fri, 22 Dec 2006 08:38:36 -0500
Received: from 0015-ITS-EXBH01.us.saic.com ([10.43.229.18])
	by 0015-its-ieg02.mail.saic.com (SMSSMTP 4.0.5.66) with SMTP id
	M2006122208383432635
	for <linux-audit@redhat.com>; Fri, 22 Dec 2006 08:38:35 -0500
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============0204987477==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C725CE.797547BB"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C725CE.797547BB
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello all,

I've been a linux sysadmin for a while for a small network of systems
under the oversight of the Defense Security Service (DSS).  They have
always given us grief over Linux's inability to log certain events.  A
year ago, I implemented Snare with good results, but lack of a Kernel
panic on audit failure always had them second guessing our setup.  So
I'm encouraged to see the progress made here and am preparing to try
again.

=20

Basically, the requirements are to log improper read access to certain
files (audit logs, shadow) and write access to many others (most of
/etc), and in some cases attempts to execute programs like stunnel and
su.

=20

My main confusion on getting started is the difference between syscalls
and watches.  It seems watches can do almost all of what I need, but
they seem to be less "configurable" than the syscalls (like ignoring if
root changes anything).  Can someone explain the difference and where
one is more appropriate than the other.

=20

I have the CAPP documents from HP and IBM, which seem to be a good
starting point (especially the conf files) - but I'm trying to
understand it all before implementation in case I need to tweak it.

=20

Thanks in advance for any help,

Anthony

=20

=20

_____________

Anthony Curtas

SAIC, Division 35

=20


------_=_NextPart_001_01C725CE.797547BB
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle17
	{font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hello all,</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I&#8217;ve been a linux sysadmin for a while for a =
small
network of systems under the oversight of the Defense Security Service
(DSS).&nbsp; They have always given us grief over Linux&#8217;s =
inability to
log certain events.&nbsp; A year ago, I implemented Snare with good =
results,
but lack of a Kernel panic on audit failure always had them second =
guessing our
setup.&nbsp; So I&#8217;m encouraged to see the progress made here and =
am
preparing to try again.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Basically, the requirements are to log improper read =
access
to certain files (audit logs, shadow) and write access to many others =
(most of
/etc), and in some cases attempts to execute programs like stunnel and =
su.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>My main confusion on getting started is the =
difference
between syscalls and watches.&nbsp; It seems watches can do almost all =
of what
I need, but they seem to be less &#8220;configurable&#8221; than the =
syscalls
(like ignoring if root changes anything).&nbsp; Can someone explain the
difference and where one is more appropriate than the =
other.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I have the CAPP documents from HP and IBM, which seem =
to be
a good starting point (especially the conf files) &#8211; but I&#8217;m =
trying
to understand it all before implementation in case I need to tweak =
it.</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks in advance for any help,</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Anthony</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoAutoSig><b><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;font-weight:bold'>_____________</span></font></=
b></p>

<p class=3DMsoAutoSig><b><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;font-weight:bold'>Anthony =
Curtas</span></font></b></p>

<p class=3DMsoAutoSig><font size=3D2 face=3D"Times New Roman"><span =
style=3D'font-size:
10.0pt'>SAIC, Division 35</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;</span></font></p>

</div>

</body>

</html>
=00
------_=_NextPart_001_01C725CE.797547BB--


--===============0204987477==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0204987477==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 09:19:52 -0500
Message-ID: <200612220919.53199.sgrubb@redhat.com>
References: <954E3479CC27224785179CA04904214D1416CC@0668-its-exmp01.us.saic.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <954E3479CC27224785179CA04904214D1416CC@0668-its-exmp01.us.saic.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
List-Id: linux-audit@redhat.com

On Friday 22 December 2006 08:38, Curtas, Anthony R. wrote:
> My main confusion on getting started is the difference between syscalls
> and watches.

Syscalls audit syscalls based on the various parameters accessible during the 
syscall. This means that every syscall is affected since it has to be 
analyzed to determine if it meets the criteria to trigger or suppress an 
audit event. If you use syscalls to audit files, you have to do it by inode. 
This is fine for files that do not move. You can also use devmajor/minor to 
watch whole disks or devices.

Watches solve the problem by allowing you to audit a file by its name. The 
kernel then converts it to inode auditing internally and changes the inode 
that is being audited whenever the file is moved/renamed. Watches also do not 
affect the performance of every syscall.

> It seems watches can do almost all of what I need, but they seem to be
> less "configurable" than the syscalls (like ignoring if root changes
> anything).

This is true in RHEL4. RHEL5/FC6 is more configurable.

> Can someone explain the difference and where one is more appropriate than
> the other.

Syscalls are appropriate whenever you have something global to audit. Watches 
are more appropriate when you are interested in specific files.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
Subject: RE: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 10:08:04 -0500
Message-ID: <954E3479CC27224785179CA04904214D1416CD@0668-its-exmp01.us.saic.com>
References: <200612220919.53199.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Content-class: urn:content-classes:message
In-Reply-To: <200612220919.53199.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Thanks for the response.  What it looks like I need is a few syscalls
and a lot of file watches.  The sample capp.rules I was looking at seems
to fit the bill, although I'll have to add some extra watches to the
/etc directory.

One thing that still confuses me is how "possible" is implemented.  From
what I've read in the documentation, it looks like if you set a rule for
entry,possible -- the audit system waits until a file watch is thrown,
then it writes the event.  Do I have this right?  If I always want to
see when /etc/shadow is opened:

-w /etc/shadow -rwxa
-a entry,possible -S open=20

Will that work?  And if I understand the mechanism correctly, that would
log an open of ANY file that has a watch on it?

One last thing, if I only want unsuccessful open attempts on the watch
files, would this work?
-a entry,possible -S open -F success!=3D1

Thanks again,
Anthony


_____________
Anthony Curtas
SAIC, Division 35


-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]=20
Sent: Friday, December 22, 2006 9:20 AM
To: linux-audit@redhat.com
Cc: Curtas, Anthony R.
Subject: Re: Audit config for NISPOM req's

On Friday 22 December 2006 08:38, Curtas, Anthony R. wrote:
> My main confusion on getting started is the difference between
syscalls
> and watches.

Syscalls audit syscalls based on the various parameters accessible
during the=20
syscall. This means that every syscall is affected since it has to be=20
analyzed to determine if it meets the criteria to trigger or suppress an

audit event. If you use syscalls to audit files, you have to do it by
inode.=20
This is fine for files that do not move. You can also use devmajor/minor
to=20
watch whole disks or devices.

Watches solve the problem by allowing you to audit a file by its name.
The=20
kernel then converts it to inode auditing internally and changes the
inode=20
that is being audited whenever the file is moved/renamed. Watches also
do not=20
affect the performance of every syscall.

> It seems watches can do almost all of what I need, but they seem to be
> less "configurable" than the syscalls (like ignoring if root changes
> anything).

This is true in RHEL4. RHEL5/FC6 is more configurable.

> Can someone explain the difference and where one is more appropriate
than
> the other.

Syscalls are appropriate whenever you have something global to audit.
Watches=20
are more appropriate when you are interested in specific files.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 10:33:23 -0500
Message-ID: <200612221033.23644.sgrubb@redhat.com>
References: <954E3479CC27224785179CA04904214D1416CD@0668-its-exmp01.us.saic.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <954E3479CC27224785179CA04904214D1416CD@0668-its-exmp01.us.saic.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 22 December 2006 10:08, Curtas, Anthony R. wrote:
> One thing that still confuses me is how "possible" is implemented.

Possible means to collect the information at entry in case its needed lat=
er.=20
Rules with possible will never trigger an event, they simply tell it to=20
collect the information. A watch or SE Linux AVC would actually use the=20
information collected.

> From what I've read in the documentation, it looks like if you set a ru=
le
> for entry,possible -- the audit system waits until a file watch is thro=
wn,
> then it writes the event. =A0Do I have this right? =A0

Yes.

> If I always want to see when /etc/shadow is opened:
>
> -w /etc/shadow -rwxa
> -a entry,possible -S open

That would be opened for write or execute.

> Will that work? =A0And if I understand the mechanism correctly, that wo=
uld
> log an open of ANY file that has a watch on it?

Not quite. It will collect the information for any open, but only emit an=
=20
event when shadow is opened for write or execute.

> One last thing, if I only want unsuccessful open attempts on the watch
> files, would this work?
> -a entry,possible -S open -F success!=3D1

It should collect the information for later use. If you wanted all=20
unsuccessful opens, I'd rewrite as:

-a exit,always -S open -F success!=3D1

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Subject: RE: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 11:22:14 -0500
Message-ID: <FC11D747323EB24493CDC753367EEB929E5815@aplesnation.dom1.jhuapl.edu>
References: <200612221033.23644.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Content-class: urn:content-classes:message
In-Reply-To: <200612221033.23644.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

So you still need a watch on the file in order to collect get audit event=
s to be generated in the event of file access failures, is that correct?

Karen Wieprecht=20

-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.c=
om] On Behalf Of Steve Grubb
Sent: Friday, December 22, 2006 10:33 AM
To: Curtas, Anthony R.
Cc: linux-audit@redhat.com
Subject: Re: Audit config for NISPOM req's

On Friday 22 December 2006 10:08, Curtas, Anthony R. wrote:
> One thing that still confuses me is how "possible" is implemented.

Possible means to collect the information at entry in case its needed lat=
er.=20
Rules with possible will never trigger an event, they simply tell it to c=
ollect the information. A watch or SE Linux AVC would actually use the in=
formation collected.

> From what I've read in the documentation, it looks like if you set a=20
> rule for entry,possible -- the audit system waits until a file watch=20
> is thrown, then it writes the event. =A0Do I have this right?

Yes.

> If I always want to see when /etc/shadow is opened:
>
> -w /etc/shadow -rwxa
> -a entry,possible -S open

That would be opened for write or execute.

> Will that work? =A0And if I understand the mechanism correctly, that=20
> would log an open of ANY file that has a watch on it?

Not quite. It will collect the information for any open, but only emit an=
 event when shadow is opened for write or execute.

> One last thing, if I only want unsuccessful open attempts on the watch=20
> files, would this work?
> -a entry,possible -S open -F success!=3D1

It should collect the information for later use. If you wanted all unsucc=
essful opens, I'd rewrite as:

-a exit,always -S open -F success!=3D1

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Fri, 22 Dec 2006 11:25:46 -0500
Message-ID: <200612221125.46619.sgrubb@redhat.com>
References: <FC11D747323EB24493CDC753367EEB929E5815@aplesnation.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <FC11D747323EB24493CDC753367EEB929E5815@aplesnation.dom1.jhuapl.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Cc: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 22 December 2006 11:22, Wieprecht, Karen M. wrote:
> So you still need a watch on the file in order to collect get audit events
> to be generated in the event of file access failures, is that correct?

That entirely depends on the rule. If you are using possible, yes. If your 
rules are always/never or a watch then you should be ok.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Subject: RE: Audit config for NISPOM req's
Date: Thu, 11 Jan 2007 14:18:43 -0500
Message-ID: <FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
References: <200612221033.23644.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Content-class: urn:content-classes:message
In-Reply-To: <200612221033.23644.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>
Cc: linux-audit@redhat.com, "Thomas, Daniel J." <Daniel.Thomas@jhuapl.edu>
List-Id: linux-audit@redhat.com

The auditctl man page for audit-1.0.14-1EL4 says the following (which
appears to be incorrect):
	To see unsuccessful open calls's:
	auditctl -a exit,always -S open -F success!=3D0

but an email you sent out a bit ago says this:=20

>> If you wanted all unsuccessful opens, I'd rewrite as:
>>
>> -a exit,always -S open -F success!=3D1

This makes a lot more sense, and I assume that this is the correct
syntax.     You might want to check to see if this has already been
corrected in the man pages for upcoming releases.=20

I was hoping that this setting by itself (-a exit,always -S open -F
success!=3D1) would show me any failed file opens on the whole machine,
so I don't understand why I don't get any audit events  with this
configuration.  I thought that maybe I also  have to have a watch set on
a file, then tell auditd  which events I want to collect with the "-a
exit,always -S open -F success!=3D1" setting, but that didn't do it
either.      Here's what I was testing=20

/etc/audit.rules :

-D
-w /etc/nsswitch.conf -rwxa
-a exit,always -S open -F success!=3D1


Then=20
	service auditd reload
	service auditd rotate
	autail -f /var/log/audit/audit.log=20

Then in another window, as a non-prived user
	rm /etc/nsswitch.conf
	cat /dev/null > /etc/nsswitch.conf
	chown karen /etc/nsswitch.conf
	chmod 777 /etc/nsswitch.conf
	cat somefile >> /etc/nsswitch.conf

I get lots of permission denied messages at the command line, but
nothing in the audit log relating to karen messing around with
/etc/nsswitch.conf. =20

I must still be missing some basic understanding of how this all works.
Any helpful suggestions would be greatly appreciated.

Karen Wieprecht
=09



Thanks,

Karen Wieprecht

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Thu, 11 Jan 2007 14:42:20 -0500
Message-ID: <200701111442.20373.sgrubb@redhat.com>
References: <FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Cc: "Curtas, Anthony R." <ANTHONY.R.CURTAS@saic.com>, "Thomas,  Daniel J." <Daniel.Thomas@jhuapl.edu>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 11 January 2007 14:18, Wieprecht, Karen M. wrote:
> This makes a lot more sense, and I assume that this is the correct
> syntax. 

And its easy to determine empirically.  :)

> You might want to check to see if this has already been 
> corrected in the man pages for upcoming releases.

hmm...I'll check, thanks.

> I was hoping that this setting by itself (-a exit,always -S open -F
> success!=1) would show me any failed file opens on the whole machine,

It does for me.

> so I don't understand why I don't get any audit events  with this
> configuration.

What arch are you on?

> /etc/audit.rules :
>
> -D
> -w /etc/nsswitch.conf -rwxa
> -a exit,always -S open -F success!=1

You do not need both. The last rule by itself should do it.

> 	service auditd reload
> 	service auditd rotate
> 	autail -f /var/log/audit/audit.log

I don't use autail. I run ausearch to check results.

> Then in another window, as a non-prived user
> 	rm /etc/nsswitch.conf
> 	cat /dev/null > /etc/nsswitch.conf
> 	chown karen /etc/nsswitch.conf
> 	chmod 777 /etc/nsswitch.conf
> 	cat somefile >> /etc/nsswitch.conf
>
> I get lots of permission denied messages at the command line, but
> nothing in the audit log relating to karen messing around with
> /etc/nsswitch.conf.

Are your using ausearch or autail?

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Kirkwood, David A." <DAVID.A.KIRKWOOD@saic.com>
Subject: RE: Audit config for NISPOM req's
Date: Fri, 12 Jan 2007 11:09:43 -0500
Message-ID: <954E3479CC27224785179CA04904214D04A041CF@0668-its-exmp01.us.saic.com>
References: <200612221033.23644.sgrubb@redhat.com>
	<FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l0CGABn8030996
	for <linux-audit@redhat.com>; Fri, 12 Jan 2007 11:10:11 -0500
Received: from mclmx.mail.saic.com (mclmx.mail.saic.com [149.8.64.10])
	by mx2.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l0CGA8UQ014846
	for <linux-audit@redhat.com>; Fri, 12 Jan 2007 11:10:08 -0500
Received: from 0015-its-ieg01.mail.saic.com ([149.8.64.21] [149.8.64.21]) by
	mclmx.mail.saic.com for linux-audit@redhat.com;
	Fri, 12 Jan 2007 11:09:51 -0500
Received: from 0015-ITS-EXBH01.us.saic.com ([10.43.229.18])
	by 0015-its-ieg01.mail.saic.com (SMSSMTP 4.0.5.66) with SMTP id
	M2007011211095130895
	for <linux-audit@redhat.com>; Fri, 12 Jan 2007 11:09:51 -0500
Content-class: urn:content-classes:message
In-Reply-To: <FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I'm using RHEL4U4 and do not have autail. Where'd it come from? Also,
the doc I have does not metion the -rwxa option for watches. Am I
missing some=20
Updates, or do I need to upgrade or is the documentation lagging?=20

Separate question. With the watches I have enabled, I never am able to
tie a user to an access violation. How do I do that?

Sorry if I am a little behind. I can only look at this group's mail
messages intermittently do to other responsibilities. I thought I was
near submitting=20
A system for government approval, but now I am not so sure.

Thanks,

David=20
-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Wieprecht, Karen M.
Sent: Thursday, January 11, 2007 2:19 PM
To: Steve Grubb; Curtas, Anthony R.
Cc: linux-audit@redhat.com; Thomas, Daniel J.
Subject: RE: Audit config for NISPOM req's

The auditctl man page for audit-1.0.14-1EL4 says the following (which
appears to be incorrect):
	To see unsuccessful open calls's:
	auditctl -a exit,always -S open -F success!=3D0

but an email you sent out a bit ago says this:=20

>> If you wanted all unsuccessful opens, I'd rewrite as:
>>
>> -a exit,always -S open -F success!=3D1

This makes a lot more sense, and I assume that this is the correct
syntax.     You might want to check to see if this has already been
corrected in the man pages for upcoming releases.=20

I was hoping that this setting by itself (-a exit,always -S open -F
success!=3D1) would show me any failed file opens on the whole machine,
so I don't understand why I don't get any audit events  with this
configuration.  I thought that maybe I also  have to have a watch set on
a file, then tell auditd  which events I want to collect with the "-a
exit,always -S open -F success!=3D1" setting, but that didn't do it
either.      Here's what I was testing=20

/etc/audit.rules :

-D
-w /etc/nsswitch.conf -rwxa
-a exit,always -S open -F success!=3D1


Then=20
	service auditd reload
	service auditd rotate
	autail -f /var/log/audit/audit.log=20

Then in another window, as a non-prived user
	rm /etc/nsswitch.conf
	cat /dev/null > /etc/nsswitch.conf
	chown karen /etc/nsswitch.conf
	chmod 777 /etc/nsswitch.conf
	cat somefile >> /etc/nsswitch.conf

I get lots of permission denied messages at the command line, but
nothing in the audit log relating to karen messing around with
/etc/nsswitch.conf. =20

I must still be missing some basic understanding of how this all works.
Any helpful suggestions would be greatly appreciated.

Karen Wieprecht
=09



Thanks,

Karen Wieprecht

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Fri, 12 Jan 2007 11:38:31 -0500
Message-ID: <200701121138.31139.sgrubb@redhat.com>
References: <200612221033.23644.sgrubb@redhat.com>
	<FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
	<954E3479CC27224785179CA04904214D04A041CF@0668-its-exmp01.us.saic.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <954E3479CC27224785179CA04904214D04A041CF@0668-its-exmp01.us.saic.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Kirkwood, David A." <DAVID.A.KIRKWOOD@saic.com>
List-Id: linux-audit@redhat.com

On Friday 12 January 2007 11:09, Kirkwood, David A. wrote:
> I'm using RHEL4U4 and do not have autail. Where'd it come from? 

http://www.redhat.com/archives/linux-audit/2006-October/msg00035.html

> Also, the doc I have does not metion the -rwxa option for watches. 

That was a typo. It should have been -p rwxa. It should be in auditctl man 
page.

> Separate question. With the watches I have enabled, I never am able to
> tie a user to an access violation. How do I do that?

It should be done automatically. The auid is the field that you would look at. 
We've configured the pam settings for sshd,login,gdm, cron,vsftpd,remote to 
include the pam_loginuid.so module. This is needed for it to work. Unless you 
changed them, it should be setup at installation.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Kirkwood, David A." <DAVID.A.KIRKWOOD@saic.com>
Subject: RE: Audit config for NISPOM req's
Date: Fri, 12 Jan 2007 13:45:02 -0500
Message-ID: <954E3479CC27224785179CA04904214D04A04318@0668-its-exmp01.us.saic.com>
References: <200612221033.23644.sgrubb@redhat.com>
	<FC11D747323EB24493CDC753367EEB92019FA473@aplesnation.dom1.jhuapl.edu>
	<954E3479CC27224785179CA04904214D04A041CF@0668-its-exmp01.us.saic.com>
	<200701121138.31139.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Content-class: urn:content-classes:message
In-Reply-To: <200701121138.31139.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I have reset the watch line to be

	=3Dw /etc/passwd -p rwxa

Then, as a normal user I execute cat > /etc/passwd

And get a permission denied

Then when I execute aureport -w --failed, the auid field shows up as -1
as it does for every watch list. Am I missing something?

Thanks,

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]=20
Sent: Friday, January 12, 2007 11:39 AM
To: linux-audit@redhat.com
Cc: Kirkwood, David A.
Subject: Re: Audit config for NISPOM req's

On Friday 12 January 2007 11:09, Kirkwood, David A. wrote:
> I'm using RHEL4U4 and do not have autail. Where'd it come from?=20

http://www.redhat.com/archives/linux-audit/2006-October/msg00035.html

> Also, the doc I have does not metion the -rwxa option for watches.=20

That was a typo. It should have been -p rwxa. It should be in auditctl
man=20
page.

> Separate question. With the watches I have enabled, I never am able to
> tie a user to an access violation. How do I do that?

It should be done automatically. The auid is the field that you would
look at.=20
We've configured the pam settings for sshd,login,gdm, cron,vsftpd,remote
to=20
include the pam_loginuid.so module. This is needed for it to work.
Unless you=20
changed them, it should be setup at installation.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Fri, 12 Jan 2007 14:49:32 -0500
Message-ID: <200701121449.32200.sgrubb@redhat.com>
References: <200612221033.23644.sgrubb@redhat.com>
	<200701121138.31139.sgrubb@redhat.com>
	<954E3479CC27224785179CA04904214D04A04318@0668-its-exmp01.us.saic.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <954E3479CC27224785179CA04904214D04A04318@0668-its-exmp01.us.saic.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Kirkwood, David A." <DAVID.A.KIRKWOOD@saic.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 12 January 2007 13:45, Kirkwood, David A. wrote:
> Then when I execute aureport -w --failed, the auid field shows up as -1
> as it does for every watch list. Am I missing something?

Yes. 

#cd /etc/pam.d
#grep loginuid *

See if you have that in your pam stack. You should see something like this:

atd:session     required        pam_loginuid.so
crond:session    required   pam_loginuid.so
gdm:session    required    pam_loginuid.so
gdm-autologin:session    required    pam_loginuid.so
kcheckpass:session    required    pam_loginuid.so
kdm:session    required    pam_loginuid.so
kdm-np:session    required     pam_loginuid.so
kscreensaver:session    required    pam_loginuid.so
login:session    required     pam_loginuid.so
remote:session    required     pam_loginuid.so
sshd:session    required     pam_loginuid.so
vsftpd:session    required     pam_loginuid.so
xdm:session    required pam_loginuid.so

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Kirkwood, David A." <DAVID.A.KIRKWOOD@saic.com>
Subject: RE: Audit config for NISPOM req's
Date: Tue, 16 Jan 2007 10:51:37 -0500
Message-ID: <954E3479CC27224785179CA04904214D04A04964@0668-its-exmp01.us.saic.com>
References: <200612221033.23644.sgrubb@redhat.com>
	<200701121138.31139.sgrubb@redhat.com>
	<954E3479CC27224785179CA04904214D04A04318@0668-its-exmp01.us.saic.com>
	<200701121449.32200.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Content-class: urn:content-classes:message
In-Reply-To: <200701121449.32200.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve,

My pam.d directory shows:

atd:session     required        pam_loginuid.so
crond:session    required   pam_loginuid.so
gdm:session    required    pam_loginuid.so
gdm-autologin:session    required    pam_loginuid.so
kcheckpass:session    required    pam_loginuid.so
kdm:session    required    pam_loginuid.so
kdm-np:session    required     pam_loginuid.so
login:session    required     pam_loginuid.so
remote:session    required     pam_loginuid.so
sshd:session    required     pam_loginuid.so
wbem:session    required     pam_loginuid.so
xdm:session    required pam_loginuid.so


I added
 xcreensaver session required pam_loginuid.so
but it had no effect.

Is there anything else I missed?

Thanks,

Dave



-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]=20
Sent: Friday, January 12, 2007 2:50 PM
To: Kirkwood, David A.
Cc: linux-audit@redhat.com
Subject: Re: Audit config for NISPOM req's

On Friday 12 January 2007 13:45, Kirkwood, David A. wrote:
> Then when I execute aureport -w --failed, the auid field shows up as
-1
> as it does for every watch list. Am I missing something?

Yes.=20

#cd /etc/pam.d
#grep loginuid *

See if you have that in your pam stack. You should see something like
this:

atd:session     required        pam_loginuid.so
crond:session    required   pam_loginuid.so
gdm:session    required    pam_loginuid.so
gdm-autologin:session    required    pam_loginuid.so
kcheckpass:session    required    pam_loginuid.so
kdm:session    required    pam_loginuid.so
kdm-np:session    required     pam_loginuid.so
kscreensaver:session    required    pam_loginuid.so
login:session    required     pam_loginuid.so
remote:session    required     pam_loginuid.so
sshd:session    required     pam_loginuid.so
vsftpd:session    required     pam_loginuid.so
xdm:session    required pam_loginuid.so

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit config for NISPOM req's
Date: Tue, 16 Jan 2007 11:15:10 -0500
Message-ID: <200701161115.10977.sgrubb@redhat.com>
References: <200612221033.23644.sgrubb@redhat.com>
	<200701121449.32200.sgrubb@redhat.com>
	<954E3479CC27224785179CA04904214D04A04964@0668-its-exmp01.us.saic.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <954E3479CC27224785179CA04904214D04A04964@0668-its-exmp01.us.saic.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Kirkwood, David A." <DAVID.A.KIRKWOOD@saic.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 16 January 2007 10:51, Kirkwood, David A. wrote:
> My pam.d directory shows:

This all looks correct now.

> I added
> =A0xcreensaver session required pam_loginuid.so
> but it had no effect.

I wouldn't. xscreensaver runs as a common user and does not have the=20
capabilities needed to set the loginuid.

> Is there anything else I missed?

That should do it. The communication chain here is:

login->pam->kernel
kernel->auditd

You should get a kernel event when you do this as root:

echo 500 > /proc/self/loginuid
ausearch -ts today -m LOGIN

time->Tue Jan 16 11:11:43 2007
type=3DLOGIN msg=3Daudit(1168963903.962:1310): login pid=3D19065 uid=3D0 =
old auid=3D500=20
new auid=3D500

If that's not working, you have a kernel problem. If its working, I'd loo=
k at=20
pam/login.

-Steve