From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: RHEL 5 audit events Date: Tue, 21 Aug 2007 09:52:03 -0400 Message-ID: <200708210952.04506.sgrubb@redhat.com> References: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D27@XMBTX113.northgrum.com> <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D28@XMBTX113.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D28@XMBTX113.northgrum.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Saturday 18 August 2007 13:04:21 Henning, Arthur C. (CSL) wrote: > 1. su - "non_existent_account". Using the nispom.rules provided by > audit 1.5.6-1. Using various ausearch parameters, am unable to find a > corresponding failure when attempting to "su" to a non-existent > account. [root ~]# ssh -l badacct localhost badacct@localhost's password: Permission denied, please try again. badacct@localhost's password: Permission denied, please try again. badacct@localhost's password: Permission denied (publickey,gssapi-with-mic,password). [root ~]# aureport --start today --login --failed Login Report ============================================ # date time auid host term exe success event ============================================ 1. 08/21/2007 09:27:26 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 264 2. 08/21/2007 09:27:32 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 266 3. 08/21/2007 09:27:36 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 268 4. 08/21/2007 09:27:39 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 270 [root ~]# ausearch --start today -a 264 -i ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' [root ~]# ausearch --start today -i -m USER_LOGIN -sv no ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:32.609:266) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:36.584:268) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:39.443:270) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' > 2. Non-privileged user attempting to change the date/time on the > server. Of course the user fails to be able to do so, but am unable to > capture or review the event. This depends a lot on the arch. You could put execute watches on the apps you expect someone to use: -w /bin/date -p x -k time-change But i also just noticed on x86_64, there is also a clock_settime syscall. I found this by stracing the date program and tracking down a permission denied message. So, on x86_64, add this: -a entry,always -S clock_settime -k time-change And it now shows this: [sgrubb src]$ date 08200930date: cannot set date: Operation not permitted Mon Aug 20 09:30:00 EDT 2007 [root ~]# ausearch --start recent -sv no -i type=SYSCALL msg=audit(08/21/2007 09:50:01.827:357) : arch=x86_64 syscall=clock_settime success=no exit=-1(Operation not permitted) a0=0 a1=7fffc184bd70 a2=7fffc184bd70 a3=6b items=0 ppid=6092 pid=6369 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts1 comm=date exe=/bin/date subj=user_u:system_r:unconfined_t:s0 key="time-change" Hope this helps... -Steve