Re: Matching SSHD information in audit logs

[Steve Grubb <sgrubb@redhat.com>]

On Tuesday, December 17, 2019 12:16:14 PM EST MAUPERTUIS, PHILIPPE wrote:
> > > What are the corresponding events in audit ?
> > 
> > I don't think anyone has ever tried to map between syslog and audit. I
> > also think that CIS maybe doesn't understand audit and how it works. For
> > quite some time, there has been a requirement to log any key lifecycle
> > in the audit logs. This means that the DH key exchange and the session
> > keys get logged when they are created and when they are destroyed. Also,
> > pam logs the session
> > beginning and end. And sshd logs any keys that it accepts. So, I think
> > the information is there if one wanted or needed to map between them. But
> > it should be unnecessary. I'm not sure what CIS is looking for in syslog.
> > Because if there is something important in syslog that is not in the
> > audit logs, I'd like to know what it is.
> > 
> > > My main concern is with the bold line which indicates how the public
> > > key was granted
> > 
> > That should also be in the audit logs.
> 
> I find in the audit log which key has been accepted but not that it has
> been accepted due to /usr/bin/sss_ssh_authorizedkeys (and not a local
> authorized_keys file). In the USER_AUTH message I can see a field
> grantors=auth-key but I don't know how to interpret it.

The grantors part comes from pam. It is used to describe what in the pam 
stack allowed the access. Sshd should use "pubkey_auth" somewhere in the 
event if it granted the access.

> I had a look at
> https://github.com/linux-audit/audit-documentation/blob/master/specs/field
> s/field-dictionary.csv but grantor is not mentioned there I didn't other
> fields as well :
> From SOFTWARE_UPDATE the fields sw, sw_type, key_enforce are not listed.
> The page
> https://github.com/linux-audit/audit-documentation/blob/master/specs/messa
> ges/message-dictionary.csv doesn't mention the type SOFTWARE_UPDATE Maybe I
> am looking at the wrong place, Where should I look ?

This has not been updated in a long time. The source code is where I go to 
find the truth about anything.  :-)

> > > Could you point me to a documentation showing which events a ssh login
> > > would generate ?
> > 
> > To my knowledge, there is no document that singles out what a sshd login
> > should look like. There are documents that explain what the record type
> > are. And you should be able to isolate them by ausearch -x sshd.
> 
> What I missed was this ausearch -x sshd which gives me the events

OK. Good. Glad that was helpful.

-Steve