From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Henning, Arthur C. (CSL)" <art.henning@ngc.com>
Subject: (no subject)
Date: Sat, 18 Aug 2007 12:02:04 -0500
Message-ID: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D27@XMBTX113.northgrum.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0581706068=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l7IH2FO8005573
	for <linux-audit@redhat.com>; Sat, 18 Aug 2007 13:02:15 -0400
Received: from xmrt0101.northgrum.com (xmrt0101.northgrum.com [208.20.220.55])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l7IH2ARu009258
	for <linux-audit@redhat.com>; Sat, 18 Aug 2007 13:02:10 -0400
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============0581706068==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C7E1B9.80A18CDA"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7E1B9.80A18CDA
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

RHEL 5

Have two events having difficulty capturing or reviewing with the audit
sub-system.

1. su - "non_existent_account". Using the nispom.rules provided by audit
1.5.6-1. Using various ausearch parameters, am unable to find a
corresponding failure when attempting to "su" to a non-existent account.

2. Non-privileged user attempting to change the date/time on the server.
Of course the user fails to be able to do so, but am unable to capture
or review the event.

Not sure if these are audit rule configuration or search unknowns or
audit sub-system limitations.

Thank you
Art Henning (CSL)=20
Enterprise IT Solutions
Northrop Grumman Corporation
art.henning@ngc.com


------_=_NextPart_001_01C7E1B9.80A18CDA
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">RHEL 5</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Have two events having difficulty =
capturing or reviewing with the audit sub-system.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">1. su - =
&quot;non_existent_account&quot;. Using the nispom.rules provided by =
audit 1.5.6-1. Using various ausearch parameters, am unable to find a =
corresponding failure when attempting to &quot;su&quot; to a =
non-existent account.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">2. Non-privileged user attempting to =
change the date/time on the server. Of course the user fails to be able =
to do so, but am unable to capture or review the event.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Not sure if these are audit rule =
configuration or search unknowns or audit sub-system limitations.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thank you</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Art Henning (CSL) </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Enterprise IT Solutions</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Northrop Grumman Corporation</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">art.henning@ngc.com</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C7E1B9.80A18CDA--


--===============0581706068==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0581706068==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Henning, Arthur C. (CSL)" <art.henning@ngc.com>
Subject: RHEL 5 audit events
Date: Sat, 18 Aug 2007 12:04:21 -0500
Message-ID: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D28@XMBTX113.northgrum.com>
References: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D27@XMBTX113.northgrum.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1444218426=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l7IH4TjD005766
	for <linux-audit@redhat.com>; Sat, 18 Aug 2007 13:04:29 -0400
Received: from xmrt0101.northgrum.com (xmrt0101.northgrum.com [208.20.220.55])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l7IH4SN7010211
	for <linux-audit@redhat.com>; Sat, 18 Aug 2007 13:04:28 -0400
Content-class: urn:content-classes:message
In-Reply-To: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D27@XMBTX113.northgrum.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============1444218426==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C7E1B9.D22C530A"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7E1B9.D22C530A
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

> RHEL 5
>=20
> Have two events having difficulty capturing or reviewing with the
> audit sub-system.
>=20
> 1. su - "non_existent_account". Using the nispom.rules provided by
> audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> corresponding failure when attempting to "su" to a non-existent
> account.
>=20
> 2. Non-privileged user attempting to change the date/time on the
> server. Of course the user fails to be able to do so, but am unable to
> capture or review the event.
>=20
> Not sure if these are audit rule configuration or search unknowns or
> audit sub-system limitations.
>=20
> Thank you
> Art Henning (CSL)=20
> Enterprise IT Solutions
> Northrop Grumman Corporation
> art.henning@ngc.com
>=20

------_=_NextPart_001_01C7E1B9.D22C530A
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>RHEL 5 audit events</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">RHEL 5</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Have two events having difficulty =
capturing or reviewing with the audit sub-system.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">1. su - =
&quot;non_existent_account&quot;. Using the nispom.rules provided by =
audit 1.5.6-1. Using various ausearch parameters, am unable to find a =
corresponding failure when attempting to &quot;su&quot; to a =
non-existent account.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">2. Non-privileged user attempting to =
change the date/time on the server. Of course the user fails to be able =
to do so, but am unable to capture or review the event.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Not sure if these are audit rule =
configuration or search unknowns or audit sub-system limitations.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thank you</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Art Henning (CSL) </FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Enterprise IT Solutions</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Northrop Grumman Corporation</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">art.henning@ngc.com</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C7E1B9.D22C530A--


--===============1444218426==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1444218426==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: RHEL 5 audit events
Date: Tue, 21 Aug 2007 09:52:03 -0400
Message-ID: <200708210952.04506.sgrubb@redhat.com>
References: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D27@XMBTX113.northgrum.com>
	<6F2A8C9C4C5BE446A17B745BBC856EEB5A6D28@XMBTX113.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D28@XMBTX113.northgrum.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Saturday 18 August 2007 13:04:21 Henning, Arthur C. (CSL) wrote:
> 1. su - "non_existent_account". Using the nispom.rules provided by
> audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> corresponding failure when attempting to "su" to a non-existent
> account.

[root ~]# ssh -l badacct localhost
badacct@localhost's password: 
Permission denied, please try again.
badacct@localhost's password: 
Permission denied, please try again.
badacct@localhost's password: 
Permission denied (publickey,gssapi-with-mic,password).
[root ~]# aureport --start today --login --failed

Login Report
============================================
# date time auid host term exe success event
============================================
1. 08/21/2007 09:27:26 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 264
2. 08/21/2007 09:27:32 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 266
3. 08/21/2007 09:27:36 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 268
4. 08/21/2007 09:27:39 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 270

[root ~]# ausearch --start today -a 264 -i
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 

[root ~]# ausearch --start today -i -m USER_LOGIN -sv no
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:32.609:266) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:36.584:268) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:39.443:270) : user pid=5909 
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, 
terminal=sshd res=failed)' 

> 2. Non-privileged user attempting to change the date/time on the
> server. Of course the user fails to be able to do so, but am unable to
> capture or review the event.

This depends a lot on the arch. You could put execute watches on the apps you 
expect someone to use:

-w /bin/date -p x -k time-change

But i also just noticed on x86_64, there is also a clock_settime syscall. I 
found this by stracing the date program and tracking down a permission denied 
message. So, on x86_64, add this:

-a entry,always -S clock_settime -k time-change

And it now shows this:

[sgrubb src]$ date 08200930date: cannot set date: Operation not permitted
Mon Aug 20 09:30:00 EDT 2007

[root ~]# ausearch --start recent -sv no -i
type=SYSCALL msg=audit(08/21/2007 09:50:01.827:357) : arch=x86_64 
syscall=clock_settime success=no exit=-1(Operation not permitted) a0=0 
a1=7fffc184bd70 a2=7fffc184bd70 a3=6b items=0 ppid=6092 pid=6369 auid=sgrubb 
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb 
sgid=sgrubb fsgid=sgrubb tty=pts1 comm=date exe=/bin/date 
subj=user_u:system_r:unconfined_t:s0 key="time-change"

Hope this helps...

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: RHEL 5 audit events
Date: Tue, 21 Aug 2007 10:09:20 -0400
Message-ID: <200708211009.21227.sgrubb@redhat.com>
References: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D27@XMBTX113.northgrum.com>
	<6F2A8C9C4C5BE446A17B745BBC856EEB5A6D28@XMBTX113.northgrum.com>
	<200708210952.04506.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from vpn-14-163.rdu.redhat.com (vpn-14-163.rdu.redhat.com
	[10.11.14.163])
	by mail.boston.redhat.com (8.13.1/8.13.1) with ESMTP id l7LE9Mac003612
	for <linux-audit@redhat.com>; Tue, 21 Aug 2007 10:09:23 -0400
In-Reply-To: <200708210952.04506.sgrubb@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 21 August 2007 09:52:03 Steve Grubb wrote:
> > 1. su - "non_existent_account". Using the nispom.rules provided by
> > audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> > corresponding failure when attempting to "su" to a non-existent
> > account.

On second thought...you were asking about su. This app has not been patched 
for auditing...although I think it should be. In the meantime, you can put a 
watch on the app:

-w /bin/su -p x -k su-used

[sgrubb src]$ su - badacct
su: user badacct does not exist

[root ~]# ausearch --start recent -k su-used -i
----
type=PATH msg=audit(08/21/2007 10:06:49.166:382) : item=1 name=(null) 
inode=13107250 dev=08:08 mode=file,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(08/21/2007 10:06:49.166:382) : item=0 name=/bin/su 
inode=24641546 dev=08:08 mode=file,suid,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:su_exec_t:s0 
type=CWD msg=audit(08/21/2007 10:06:49.166:382) :  
cwd=/home/sgrubb/working/BUILD/coreutils-5.97/src 
type=EXECVE msg=audit(08/21/2007 10:06:49.166:382) : a0="su" a1="-" 
a2="badacct" 
type=SYSCALL msg=audit(08/21/2007 10:06:49.166:382) : arch=x86_64 
syscall=execve success=yes exit=0 a0=18172cd0 a1=18186460 a2=18192880 a3=8 
items=2 ppid=6092 pid=6443 auid=sgrubb uid=sgrubb gid=sgrubb euid=root 
suid=root fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts1 comm=su 
exe=/bin/su subj=user_u:system_r:unconfined_t:s0 key="su-used"

Hope this helps....

-Steve