Re: RHEL 5 audit events

[Steve Grubb <sgrubb@redhat.com>]

On Saturday 18 August 2007 13:04:21 Henning, Arthur C. (CSL) wrote:
> 1. su - "non_existent_account". Using the nispom.rules provided by
> audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> corresponding failure when attempting to "su" to a non-existent
> account.

[root ~]# ssh -l badacct localhost
badacct@localhost's password: 
Permission denied, please try again.
badacct@localhost's password: 
Permission denied, please try again.
badacct@localhost's password: 
Permission denied (publickey,gssapi-with-mic,password).
[root ~]# aureport --start today --login --failed

Login Report
============================================
# date time auid host term exe success event
============================================
1. 08/21/2007 09:27:26 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 264
2. 08/21/2007 09:27:32 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 266
3. 08/21/2007 09:27:36 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 268
4. 08/21/2007 09:27:39 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 270

[root ~]# ausearch --start today -a 264 -i
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 

[root ~]# ausearch --start today -i -m USER_LOGIN -sv no
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:32.609:266) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:36.584:268) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:39.443:270) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 

> 2. Non-privileged user attempting to change the date/time on the
> server. Of course the user fails to be able to do so, but am unable to
> capture or review the event.

This depends a lot on the arch. You could put execute watches on the apps you 
expect someone to use:

-w /bin/date -p x -k time-change

But i also just noticed on x86_64, there is also a clock_settime syscall. I 
found this by stracing the date program and tracking down a permission denied 
message. So, on x86_64, add this:

-a entry,always -S clock_settime -k time-change

And it now shows this:

[sgrubb src]$ date 08200930date: cannot set date: Operation not permitted
Mon Aug 20 09:30:00 EDT 2007

[root ~]# ausearch --start recent -sv no -i
type=SYSCALL msg=audit(08/21/2007 09:50:01.827:357) : arch=x86_64 
syscall=clock_settime success=no exit=-1(Operation not permitted) a0=0 
a1=7fffc184bd70 a2=7fffc184bd70 a3=6b items=0 ppid=6092 pid=6369 auid=sgrubb 
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb 
sgid=sgrubb fsgid=sgrubb tty=pts1 comm=date exe=/bin/date 
subj=user_u:system_r:unconfined_t:s0 key="time-change"

Hope this helps...

-Steve