Login/Logouts (UNCLASSIFIED)

Login/Logouts (UNCLASSIFIED)

[Mackanick, Jason W CTR DISA GIG-OP]

[-- Attachment #1.1: Type: text/plain, Size: 466 bytes --]

Classification:  UNCLASSIFIED 
Caveats: NONE
 
Hello everyone,

Newbie to the list.  I am in position of writing technical
implimentation guidance for DISA and I am looking for a method to audit
logins/logouts.  I have not been able to come up with a syscall that
would cover this.  Any help would be appreciated.  

Jason Mackanick, CISSP
DISA FSO Supports & Standards Section
Technical Support Team

 
Classification:  UNCLASSIFIED 
Caveats: NONE

[-- Attachment #1.2: Type: text/html, Size: 1445 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Login/Logouts (UNCLASSIFIED)

[Steve Grubb]

On Wednesday 28 February 2007 15:31, Mackanick, Jason W CTR DISA GIG-OP wrote:
> I am in position of writing technical implimentation guidance for DISA and I
> am looking for a method to audit logins/logouts.

We've patched login, gdm, and openssh to send a USER_LOGIN message to denote 
this event.

time->Wed Feb 28 08:12:01 2007
type=USER_LOGIN msg=audit(1172668321.325:113): user pid=2424 uid=0 auid=525 
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=525: 
exe="/usr/sbin/gdm-binary" (hostname=discovery, addr=192.168.1.2, terminal=:0 
res=success)'


> I have not been able to come up with a syscall that would cover this.  Any
> help would be appreciated.

Its actually a whole series of events that allows a login. Thesequence is: 
LOGIN, USER_AUTH, USER_START, USER_ACCT, USER_START, CRED_REFR or CRED_ACQ , 
and then USER_LOGIN. Cron and some other daemons that are pamified can create 
most of these events as they run. This is why we send a specific event from 
the app. Aureport looks for USER_LOGIN messages for its login accounting.

[root]# aureport --start today

Summary Report
======================
Range of time in logs: 10/29/2006 13:11:33.731 - 02/28/2007 16:05:52.479
Selected time for report: 02/28/2007 00:00:01 - 02/28/2007 16:05:52.479
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 1
Number of failed logins: 0
Number of authentications: 2
Number of failed authentications: 1
Number of users: 1
Number of terminals: 4
Number of host names: 2
Number of executables: 2
Number of files: 1
Number of AVC denials: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 4
Number of events: 13

If you want more detail, run the login report:
[root]# aureport --start today --login -i

Login Report
============================================
# date time auid host term exe success event
============================================
1. 02/28/2007 16:05:38 steve nat.redhat.com /dev/pts/0 /usr/sbin/sshd yes 81


Hope this helps.

-Steve

Re: Login/Logouts (UNCLASSIFIED)

[Valdis.Kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 590 bytes --]

On Wed, 28 Feb 2007 15:31:41 EST, "Mackanick, Jason W CTR DISA GIG-OP" said:

> Newbie to the list.  I am in position of writing technical
> implimentation guidance for DISA and I am looking for a method to audit
> logins/logouts.  I have not been able to come up with a syscall that
> would cover this.  Any help would be appreciated.

That's because "login" isn't a single syscall, and a lot of things happen
during a login - many files get read, programs get run, and so on.  That's
why things like gdm, getty, and ssh are modified to cut a non-syscall
audit record when a user logs in.

[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Login/Logouts (UNCLASSIFIED)

[Paul Whitney]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

So does that mean this call audit would not work:

- -a exit,possible -w /bin/login -F success=0 -F success!=0

What would be an entry to trap users successfully logging in?

Paul Whitney
Paul.whitney@mac.com





On 2/28/07 4:18 PM, "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>
wrote:

> * PGP Signed by an unverified key: 02/28/07 at 16:18:26
> On Wed, 28 Feb 2007 15:31:41 EST, "Mackanick, Jason W CTR DISA GIG-OP"
> said: 
> 
>> Newbie to the list.  I am in position of writing technical
>> implimentation guidance for DISA and I am looking for a method to audit
>> logins/logouts.  I have not been able to come up with a syscall that
>> would cover this.  Any help would be appreciated.
> 
> That's because "login" isn't a single syscall, and a lot of things happen
> during a login - many files get read, programs get run, and so on.
> That's why things like gdm, getty, and ssh are modified to cut a
> non-syscall
> audit record when a user logs in.
> * Valdis Kletnieks <valdis.kletnieks@vt.edu>
> * 0xB4D3D7B0 - Unverified (L)
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBReYGxbdVg+viRqgEAQhLOQgAg5/QLzVIl1raeQdZ7l9nv++wma+fVre9
eo4WifDvQIA07rttrpXkJhYGbDYHKOoWZQzgMfYW77pNJjBgmyopFUmqGMlLoNym
0rF9tT6rdexpgEheqm0yNjL6S2B2iGU3rg+fY3KiLOEy42b0bpfWbExTE21PEB7l
1MS/pZSnbmNSEe0Jg4vH+8iNdMKBdIfr8qWCr4pSFoWr9eOcI0vaCHUWEdmbtynu
wpWlFwCEJ46Mm/YdPC8FRCHzOuLGHjp6GyoFVcc6tHWZ982KSR0l9a9+Q5EBE8vD
nZcfpKB0Xmcp3mtoN/V4ZryCHpuGYgwUzVimcHcqRI9stqecfkjMMw==
=js9E
-----END PGP SIGNATURE-----

Re: Login/Logouts (UNCLASSIFIED)

[Steve Grubb]

On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
> So does that mean this call audit would not work:
>
> -a exit,possible -w /bin/login -F success=0 -F success!=0

This would not audit anything for 3 reasons. "possible" tells it to collect 
the information in case its needed later. The -F options form an "and" 
condition. Both cannot be true at the same time. And "-w" is watches 
while "-a" is syscall auditing...you cannot mix the two.

You might try:

-w /bin/login -p x

But that would get you the fact that the file was executed but probably not 
the results of execution. (It probably should).

> What would be an entry to trap users successfully logging in?

We've patched the source code to entry points to send specific messages saying 
the intent of the pam session.

-Steve

RE: Login/Logouts (UNCLASSIFIED)

[Mackanick, Jason W CTR DISA GIG-OP]

Classification:  UNCLASSIFIED 
Caveats: NONE

I am running the standard auditd delivered with rhel4.  What is the
latest set of rpm's that I should have to see the login functionality?
I am on a non-internet-connected network that I can not use up2date for
packages. 


Jason Mackanick, CISSP
DISA FSO Supports & Standards Section
Technical Support Team

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Wednesday, February 28, 2007 5:54 PM
To: linux-audit@redhat.com
Cc: Paul Whitney; Valdis.Kletnieks@vt.edu; Mackanick, Jason W CTR DISA
GIG-OP
Subject: Re: Login/Logouts (UNCLASSIFIED)

On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
> So does that mean this call audit would not work:
>
> -a exit,possible -w /bin/login -F success=0 -F success!=0

This would not audit anything for 3 reasons. "possible" tells it to
collect the information in case its needed later. The -F options form an
"and" 
condition. Both cannot be true at the same time. And "-w" is watches
while "-a" is syscall auditing...you cannot mix the two.

You might try:

-w /bin/login -p x

But that would get you the fact that the file was executed but probably
not the results of execution. (It probably should).

> What would be an entry to trap users successfully logging in?

We've patched the source code to entry points to send specific messages
saying the intent of the pam session.

-Steve
Classification:  UNCLASSIFIED 
Caveats: NONE

Re: Login/Logouts (UNCLASSIFIED)

[Steve Grubb]

On Thursday 01 March 2007 08:41, Mackanick, Jason W CTR DISA GIG-OP wrote:
> I am running the standard auditd delivered with rhel4.  What is the
> latest set of rpm's that I should have to see the login functionality?

It was delivered in the RHEL4U3 set (audit, pam, login, openssh, gdm). I would 
recommend using RHELU4 audit package (audit-1.0.14) and the latest errata 
RHEL4 kernel (released this week) as well since it has an important audit 
fix.

-Steve

RE: Login/Logouts (UNCLASSIFIED)

[Mackanick, Jason W CTR DISA GIG-OP]

Classification:  UNCLASSIFIED 
Caveats: NONE

Everyone, Thanks for the help. 


Jason Mackanick, CISSP
DISA FSO Supports & Standards Section
Technical Support Team

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, March 01, 2007 9:05 AM
To: Mackanick, Jason W CTR DISA GIG-OP
Cc: linux-audit@redhat.com
Subject: Re: Login/Logouts (UNCLASSIFIED)

On Thursday 01 March 2007 08:41, Mackanick, Jason W CTR DISA GIG-OP wrote:
> I am running the standard auditd delivered with rhel4.  What is the 
> latest set of rpm's that I should have to see the login functionality?

It was delivered in the RHEL4U3 set (audit, pam, login, openssh, gdm). I would recommend using RHELU4 audit package (audit-1.0.14) and the latest errata
RHEL4 kernel (released this week) as well since it has an important audit fix.

-Steve
Classification:  UNCLASSIFIED 
Caveats: NONE