* (no subject)
@ 2007-08-18 17:02 Henning, Arthur C. (CSL)
2007-08-18 17:04 ` RHEL 5 audit events Henning, Arthur C. (CSL)
0 siblings, 1 reply; 4+ messages in thread
From: Henning, Arthur C. (CSL) @ 2007-08-18 17:02 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 695 bytes --]
RHEL 5
Have two events having difficulty capturing or reviewing with the audit
sub-system.
1. su - "non_existent_account". Using the nispom.rules provided by audit
1.5.6-1. Using various ausearch parameters, am unable to find a
corresponding failure when attempting to "su" to a non-existent account.
2. Non-privileged user attempting to change the date/time on the server.
Of course the user fails to be able to do so, but am unable to capture
or review the event.
Not sure if these are audit rule configuration or search unknowns or
audit sub-system limitations.
Thank you
Art Henning (CSL)
Enterprise IT Solutions
Northrop Grumman Corporation
art.henning@ngc.com
[-- Attachment #1.2: Type: text/html, Size: 1419 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* RHEL 5 audit events
2007-08-18 17:02 (no subject) Henning, Arthur C. (CSL)
@ 2007-08-18 17:04 ` Henning, Arthur C. (CSL)
2007-08-21 13:52 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Henning, Arthur C. (CSL) @ 2007-08-18 17:04 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 742 bytes --]
> RHEL 5
>
> Have two events having difficulty capturing or reviewing with the
> audit sub-system.
>
> 1. su - "non_existent_account". Using the nispom.rules provided by
> audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> corresponding failure when attempting to "su" to a non-existent
> account.
>
> 2. Non-privileged user attempting to change the date/time on the
> server. Of course the user fails to be able to do so, but am unable to
> capture or review the event.
>
> Not sure if these are audit rule configuration or search unknowns or
> audit sub-system limitations.
>
> Thank you
> Art Henning (CSL)
> Enterprise IT Solutions
> Northrop Grumman Corporation
> art.henning@ngc.com
>
[-- Attachment #1.2: Type: text/html, Size: 1438 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: RHEL 5 audit events
2007-08-18 17:04 ` RHEL 5 audit events Henning, Arthur C. (CSL)
@ 2007-08-21 13:52 ` Steve Grubb
2007-08-21 14:09 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2007-08-21 13:52 UTC (permalink / raw)
To: linux-audit
On Saturday 18 August 2007 13:04:21 Henning, Arthur C. (CSL) wrote:
> 1. su - "non_existent_account". Using the nispom.rules provided by
> audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> corresponding failure when attempting to "su" to a non-existent
> account.
[root ~]# ssh -l badacct localhost
badacct@localhost's password:
Permission denied, please try again.
badacct@localhost's password:
Permission denied, please try again.
badacct@localhost's password:
Permission denied (publickey,gssapi-with-mic,password).
[root ~]# aureport --start today --login --failed
Login Report
============================================
# date time auid host term exe success event
============================================
1. 08/21/2007 09:27:26 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 264
2. 08/21/2007 09:27:32 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 266
3. 08/21/2007 09:27:36 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 268
4. 08/21/2007 09:27:39 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 270
[root ~]# ausearch --start today -a 264 -i
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
[root ~]# ausearch --start today -i -m USER_LOGIN -sv no
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:32.609:266) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:36.584:268) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
----
type=USER_LOGIN msg=audit(08/21/2007 09:27:39.443:270) : user pid=5909
uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1,
terminal=sshd res=failed)'
> 2. Non-privileged user attempting to change the date/time on the
> server. Of course the user fails to be able to do so, but am unable to
> capture or review the event.
This depends a lot on the arch. You could put execute watches on the apps you
expect someone to use:
-w /bin/date -p x -k time-change
But i also just noticed on x86_64, there is also a clock_settime syscall. I
found this by stracing the date program and tracking down a permission denied
message. So, on x86_64, add this:
-a entry,always -S clock_settime -k time-change
And it now shows this:
[sgrubb src]$ date 08200930date: cannot set date: Operation not permitted
Mon Aug 20 09:30:00 EDT 2007
[root ~]# ausearch --start recent -sv no -i
type=SYSCALL msg=audit(08/21/2007 09:50:01.827:357) : arch=x86_64
syscall=clock_settime success=no exit=-1(Operation not permitted) a0=0
a1=7fffc184bd70 a2=7fffc184bd70 a3=6b items=0 ppid=6092 pid=6369 auid=sgrubb
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb
sgid=sgrubb fsgid=sgrubb tty=pts1 comm=date exe=/bin/date
subj=user_u:system_r:unconfined_t:s0 key="time-change"
Hope this helps...
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: RHEL 5 audit events
2007-08-21 13:52 ` Steve Grubb
@ 2007-08-21 14:09 ` Steve Grubb
0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2007-08-21 14:09 UTC (permalink / raw)
To: linux-audit
On Tuesday 21 August 2007 09:52:03 Steve Grubb wrote:
> > 1. su - "non_existent_account". Using the nispom.rules provided by
> > audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> > corresponding failure when attempting to "su" to a non-existent
> > account.
On second thought...you were asking about su. This app has not been patched
for auditing...although I think it should be. In the meantime, you can put a
watch on the app:
-w /bin/su -p x -k su-used
[sgrubb src]$ su - badacct
su: user badacct does not exist
[root ~]# ausearch --start recent -k su-used -i
----
type=PATH msg=audit(08/21/2007 10:06:49.166:382) : item=1 name=(null)
inode=13107250 dev=08:08 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(08/21/2007 10:06:49.166:382) : item=0 name=/bin/su
inode=24641546 dev=08:08 mode=file,suid,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:su_exec_t:s0
type=CWD msg=audit(08/21/2007 10:06:49.166:382) :
cwd=/home/sgrubb/working/BUILD/coreutils-5.97/src
type=EXECVE msg=audit(08/21/2007 10:06:49.166:382) : a0="su" a1="-"
a2="badacct"
type=SYSCALL msg=audit(08/21/2007 10:06:49.166:382) : arch=x86_64
syscall=execve success=yes exit=0 a0=18172cd0 a1=18186460 a2=18192880 a3=8
items=2 ppid=6092 pid=6443 auid=sgrubb uid=sgrubb gid=sgrubb euid=root
suid=root fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts1 comm=su
exe=/bin/su subj=user_u:system_r:unconfined_t:s0 key="su-used"
Hope this helps....
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-08-21 14:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-18 17:02 (no subject) Henning, Arthur C. (CSL)
2007-08-18 17:04 ` RHEL 5 audit events Henning, Arthur C. (CSL)
2007-08-21 13:52 ` Steve Grubb
2007-08-21 14:09 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox