From mboxrd@z Thu Jan 1 00:00:00 1970 From: Trevor Vaughan Subject: Re: auditing activity where uid==0 Date: Fri, 04 Dec 2009 06:08:42 -0500 Message-ID: <4B18EDBA.5070603@gmail.com> References: <4ADC7F89.5030501@uwo.ca> <200910191114.45636.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.14]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nB4B91WB026053 for ; Fri, 4 Dec 2009 06:09:01 -0500 Received: from mail-vw0-f191.google.com (mail-vw0-f191.google.com [209.85.212.191]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nB4B8jpg019318 for ; Fri, 4 Dec 2009 06:08:46 -0500 Received: by vws29 with SMTP id 29so1008089vws.6 for ; Fri, 04 Dec 2009 03:08:45 -0800 (PST) In-Reply-To: <200910191114.45636.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > -a entry,always -S execve -F euid=0 -F auid>=500 -F auid!=4294967295 Be aware that this rule does grab the nfsnobody user, which has a uid > 500. > > The loginuid is only set for real logins. But if they issue "service httpd > restart", then apache has their loginuid, too, and you will start getting > apache events. Yes, and this is quite painful. > >> I'm getting lots of extraneous chatter from sshd, automount, and cron, all >> of which are from tty=(none), but I'm not sure it's possible to filter on >> tty... It's not as far as I could find, though this would be an awesome feature. Basically, the ability to say, tty!=none. > > The way that we suggest auditing the actions of a root user is by using the > tty audit capability. This is a little more specific about what is really > happening. For example, someone could start a python shell and start issuing > commands. If you audit by execve, then all you see is python start up and then > you see nothing else. Also, bash can do networking. Its possible to transfer > files using bash primitives that you won't pick up by auditing execve syscalls. > Awk is also network aware... One thing to note about the tty audit capability is that it is a forward processing logger, not an echo logger. This means that it *will* capture passwords that you type in at the command line even if they are not echoed. You may want to look at something like sudosh or the like which are echo loggers and will not collect anything that is hidden from the terminal. This presents it's own problems, but at least won't grab sensitive passwords in general. Trevor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAksY7boACgkQyjMdFR1108BQxQCeNnLC/430OiNSHVZVhU2GdJ6h BEwAn34K52cRhSZsDQ1PpFbtqP1tnqwa =7MfW -----END PGP SIGNATURE-----