* Help on Audit Rules @ 2012-10-17 2:51 Koresh... 2012-10-17 14:37 ` Peter Moody 0 siblings, 1 reply; 9+ messages in thread From: Koresh... @ 2012-10-17 2:51 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 430 bytes --] Hi Team, I have enabled the audit logs recently ... Currently the auditd daemon is logging all the event and syscalls done based on default rule set ... But currently it only record the events done by the root user or by the sudo ... Need your help to configure the same for Group wise ... so that i can track the group wise events done , rather then adding a rule for each individual users. -- Thanks & Regards, - Koresh [-- Attachment #1.2: Type: text/html, Size: 1152 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-17 2:51 Help on Audit Rules Koresh... @ 2012-10-17 14:37 ` Peter Moody 2012-10-18 1:39 ` Koresh... 0 siblings, 1 reply; 9+ messages in thread From: Peter Moody @ 2012-10-17 14:37 UTC (permalink / raw) To: Koresh...; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 713 bytes --] What rules are currently installed and what logs are you seeing? On Oct 17, 2012 5:59 AM, "Koresh..." <koreshkumar@gmail.com> wrote: > > Hi Team, > > I have enabled the audit logs recently ... Currently the auditd daemon is > logging all the event and syscalls done based on default rule set ... > > But currently it only record the events done by the root user or by the > sudo ... > > Need your help to configure the same for Group wise ... so that i can > track the group wise events done , rather then adding a rule for each > individual users. > > > -- > > Thanks & Regards, > > - Koresh > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > [-- Attachment #1.2: Type: text/html, Size: 1791 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-17 14:37 ` Peter Moody @ 2012-10-18 1:39 ` Koresh... 2012-10-18 11:29 ` Miloslav Trmac 0 siblings, 1 reply; 9+ messages in thread From: Koresh... @ 2012-10-18 1:39 UTC (permalink / raw) To: Peter Moody; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 4667 bytes --] Hi Peter, Currently i am tring to achive the same through below configuration on audit.rules file ... # Audit all execve calls -a entry,always -S execve -a entry,never -a exclude,always -F msgtype=PATH -a exclude,always -F msgtype=CWD -a exclude,always -F msgtype=CONFIG_CHANGE -a exclude,always -F msgtype=CRED_DISP But the problem on above rule is, it records all the SYSCALL and EXECV calls. Which increasing the log file size. So my question is why normal users audit event logs cant be captured as a "type=USER_TTY" , where as root logs can be captured similarway. Some logs for your reference: type=EXECVE msg=audit(1350523801.169:137779): a0="/usr/lib/sa/sa1" a1="1" a2="1" type=SYSCALL msg=audit(1350523801.169:137780): arch=40000003 syscall=11 success=yes exit=0 a0=86e0ec0 a1=86e08b8 a2=86e0ed8 a3=86e08b8 items=2 ppid=18623 pid=18624 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sadc" exe="/usr/lib/sa/sadc" subj=kernel key=(null) type=EXECVE msg=audit(1350523801.169:137780): a0="/usr/lib/sa/sadc" a1="-F" a2="-L" a3="1" a4="1" a5="-" type=USER_END msg=audit(1350523801.185:137781): user pid=18623 uid=0 auid=4294967295 subj=kernel msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_TTY msg=audit(1350524060.169:137782): user pid=18576 uid=0 auid=655 subj=kernel msg='cat /etc/audit/audit.rules ' type=SYSCALL msg=audit(1350524060.169:137783): arch=40000003 syscall=11 success=yes exit=0 a0=8cc4780 a1=8cc4838 a2=8cbd860 a3=0 items=2 ppid=18576 pid=18625 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="cat" exe="/bin/cat" subj=kernel key=(null) type=EXECVE msg=audit(1350524060.169:137783): a0="cat" a1="/etc/audit/audit.rules" type=USER_TTY msg=audit(1350524156.789:137784): user pid=18576 uid=0 auid=655 subj=kernel msg='tail -f /var/log/audit/audit.log' type=SYSCALL msg=audit(1350524156.789:137785): arch=40000003 syscall=11 success=yes exit=0 a0=8cc4810 a1=8cc47d0 a2=8cbd860 a3=0 items=2 ppid=18576 pid=18626 auid=655 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="tail" exe="/usr/bin/tail" subj=kernel key=(null) type=EXECVE msg=audit(1350524156.789:137785): a0="tail" a1="-f" a2="/var/log/audit/audit.log" type=USER_END msg=audit(1350524172.558:137786): user pid=18249 uid=0 auid=1600 subj=kernel msg='PAM: session close acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)' type=SYSCALL msg=audit(1350524176.426:137787): arch=40000003 syscall=11 success=yes exit=0 a0=81f102e8 a1=81f12a60 a2=81f10300 a3=4 items=2 ppid=1045 pid=18627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=kernel key=(null) type=EXECVE msg=audit(1350524176.426:137787): a0="/usr/sbin/sshd" a1="-R" type=USER_ACCT msg=audit(1350524176.642:137788): user pid=18627 uid=0 auid=4294967295 subj=kernel msg='PAM: accounting acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)' type=CRED_ACQ msg=audit(1350524176.642:137789): user pid=18627 uid=0 auid=4294967295 subj=kernel msg='PAM: setcred acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)' type=USER_START msg=audit(1350524176.642:137790): user pid=18627 uid=0 auid=1600 subj=kernel msg='PAM: session open acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)' type=CRED_REFR msg=audit(1350524176.642:137791): user pid=18629 uid=0 auid=1600 subj=kernel msg='PAM: setcred acct="sysmon" : exe="/usr/sbin/sshd" (hostname=10.162.42.245, addr=10.162.42.245, terminal=ssh res=success)' On Wed, Oct 17, 2012 at 8:07 PM, Peter Moody <pmoody@google.com> wrote: > What rules are currently installed and what logs are you seeing? > On Oct 17, 2012 5:59 AM, "Koresh..." <koreshkumar@gmail.com> wrote: > >> >> Hi Team, >> >> I have enabled the audit logs recently ... Currently the auditd daemon is >> logging all the event and syscalls done based on default rule set ... >> >> But currently it only record the events done by the root user or by the >> sudo ... >> >> Need your help to configure the same for Group wise ... so that i can >> track the group wise events done , rather then adding a rule for each >> individual users. >> >> >> -- >> >> Thanks & Regards, >> >> - Koresh >> >> >> >> -- >> Linux-audit mailing list >> Linux-audit@redhat.com >> https://www.redhat.com/mailman/listinfo/linux-audit >> > -- Thanks & Regards, - Koresh [-- Attachment #1.2: Type: text/html, Size: 7443 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-18 1:39 ` Koresh... @ 2012-10-18 11:29 ` Miloslav Trmac 2012-10-18 13:35 ` Koresh... 0 siblings, 1 reply; 9+ messages in thread From: Miloslav Trmac @ 2012-10-18 11:29 UTC (permalink / raw) To: Koresh...; +Cc: linux-audit ----- Original Message ----- > So my question is why normal users audit event logs cant be captured > as a "type=USER_TTY" , where as root logs can be captured > similarway. USER_TTY is sent by the process that accepts the keyboard input. Unprivileged users are not allowed to send audit records (otherwise they would be able to fill the queue and/or the log partition, causing a DoS), so the USER_TTY record is discarded. Even for unprivileged users you should have the type=TTY records, although they are noticeably more difficult to interpret. Mirek ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-18 11:29 ` Miloslav Trmac @ 2012-10-18 13:35 ` Koresh... 2012-10-18 15:33 ` Peter Moody 0 siblings, 1 reply; 9+ messages in thread From: Koresh... @ 2012-10-18 13:35 UTC (permalink / raw) To: Miloslav Trmac; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 879 bytes --] So if i am correct, there is no way we can get the normal user activity through auditd daemon ... Or , please suggest the best way to capture the activity logs for normal users .... On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote: > ----- Original Message ----- > > So my question is why normal users audit event logs cant be captured > > as a "type=USER_TTY" , where as root logs can be captured > > similarway. > USER_TTY is sent by the process that accepts the keyboard input. > Unprivileged users are not allowed to send audit records (otherwise they > would be able to fill the queue and/or the log partition, causing a DoS), > so the USER_TTY record is discarded. > > Even for unprivileged users you should have the type=TTY records, although > they are noticeably more difficult to interpret. > Mirek > -- Thanks & Regards, - Koresh [-- Attachment #1.2: Type: text/html, Size: 1880 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-18 13:35 ` Koresh... @ 2012-10-18 15:33 ` Peter Moody 2012-10-18 15:35 ` Peter Moody 2012-10-18 17:02 ` Steve Grubb 0 siblings, 2 replies; 9+ messages in thread From: Peter Moody @ 2012-10-18 15:33 UTC (permalink / raw) To: Koresh...; +Cc: linux-audit, Miloslav Trmac auditctl -a exit,always -S execve -F success=1 will audit log all successful execve(2) calls by all uids. It will incur a (possibly significant) performance hit though. Is there a particular binary/user about you're concerned? On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote: > > So if i am correct, there is no way we can get the normal user activity > through auditd daemon ... > > Or , please suggest the best way to capture the activity logs for normal > users .... > > > > On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote: >> >> ----- Original Message ----- >> > So my question is why normal users audit event logs cant be captured >> > as a "type=USER_TTY" , where as root logs can be captured >> > similarway. >> USER_TTY is sent by the process that accepts the keyboard input. >> Unprivileged users are not allowed to send audit records (otherwise they >> would be able to fill the queue and/or the log partition, causing a DoS), so >> the USER_TTY record is discarded. >> >> Even for unprivileged users you should have the type=TTY records, although >> they are noticeably more difficult to interpret. >> Mirek > > > > > -- > > > Thanks & Regards, > > - Koresh > > > -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-18 15:33 ` Peter Moody @ 2012-10-18 15:35 ` Peter Moody 2012-10-18 15:50 ` Peter Moody 2012-10-18 17:02 ` Steve Grubb 1 sibling, 1 reply; 9+ messages in thread From: Peter Moody @ 2012-10-18 15:35 UTC (permalink / raw) To: Koresh...; +Cc: linux-audit, Miloslav Trmac Also, from the auditctl manpage: The following describes the valid actions for the rule: never No audit records will be generated. This can be used to suppress event generation. In general, you want suppressions at the top of the list instead of the bottom. This is because the event triggers on the first matching rule. On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody@google.com> wrote: > auditctl -a exit,always -S execve -F success=1 > > will audit log all successful execve(2) calls by all uids. It will > incur a (possibly significant) performance hit though. Is there a > particular binary/user about you're concerned? > > > > On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote: >> >> So if i am correct, there is no way we can get the normal user activity >> through auditd daemon ... >> >> Or , please suggest the best way to capture the activity logs for normal >> users .... >> >> >> >> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote: >>> >>> ----- Original Message ----- >>> > So my question is why normal users audit event logs cant be captured >>> > as a "type=USER_TTY" , where as root logs can be captured >>> > similarway. >>> USER_TTY is sent by the process that accepts the keyboard input. >>> Unprivileged users are not allowed to send audit records (otherwise they >>> would be able to fill the queue and/or the log partition, causing a DoS), so >>> the USER_TTY record is discarded. >>> >>> Even for unprivileged users you should have the type=TTY records, although >>> they are noticeably more difficult to interpret. >>> Mirek >> >> >> >> >> -- >> >> >> Thanks & Regards, >> >> - Koresh >> >> >> > > > > -- > Peter Moody Google 1.650.253.7306 > Security Engineer pgp:0xC3410038 -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-18 15:35 ` Peter Moody @ 2012-10-18 15:50 ` Peter Moody 0 siblings, 0 replies; 9+ messages in thread From: Peter Moody @ 2012-10-18 15:50 UTC (permalink / raw) To: Koresh...; +Cc: linux-audit, Miloslav Trmac Whoops, ignore this. I had misread your rules. On Thu, Oct 18, 2012 at 8:35 AM, Peter Moody <pmoody@google.com> wrote: > Also, from the auditctl manpage: > > The following describes the valid actions for the rule: > > never No audit records will be generated. This can be used to > suppress event generation. In general, you want suppressions at the > top of the list instead of the bottom. This is because the event > triggers on the first matching rule. > > > On Thu, Oct 18, 2012 at 8:33 AM, Peter Moody <pmoody@google.com> wrote: >> auditctl -a exit,always -S execve -F success=1 >> >> will audit log all successful execve(2) calls by all uids. It will >> incur a (possibly significant) performance hit though. Is there a >> particular binary/user about you're concerned? >> >> >> >> On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote: >>> >>> So if i am correct, there is no way we can get the normal user activity >>> through auditd daemon ... >>> >>> Or , please suggest the best way to capture the activity logs for normal >>> users .... >>> >>> >>> >>> On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote: >>>> >>>> ----- Original Message ----- >>>> > So my question is why normal users audit event logs cant be captured >>>> > as a "type=USER_TTY" , where as root logs can be captured >>>> > similarway. >>>> USER_TTY is sent by the process that accepts the keyboard input. >>>> Unprivileged users are not allowed to send audit records (otherwise they >>>> would be able to fill the queue and/or the log partition, causing a DoS), so >>>> the USER_TTY record is discarded. >>>> >>>> Even for unprivileged users you should have the type=TTY records, although >>>> they are noticeably more difficult to interpret. >>>> Mirek >>> >>> >>> >>> >>> -- >>> >>> >>> Thanks & Regards, >>> >>> - Koresh >>> >>> >>> >> >> >> >> -- >> Peter Moody Google 1.650.253.7306 >> Security Engineer pgp:0xC3410038 > > > > -- > Peter Moody Google 1.650.253.7306 > Security Engineer pgp:0xC3410038 -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Help on Audit Rules 2012-10-18 15:33 ` Peter Moody 2012-10-18 15:35 ` Peter Moody @ 2012-10-18 17:02 ` Steve Grubb 1 sibling, 0 replies; 9+ messages in thread From: Steve Grubb @ 2012-10-18 17:02 UTC (permalink / raw) To: linux-audit; +Cc: Miloslav Trmac On Thursday, October 18, 2012 08:33:59 AM Peter Moody wrote: > auditctl -a exit,always -S execve -F success=1 > > will audit log all successful execve(2) calls by all uids. It will > incur a (possibly significant) performance hit though. Is there a > particular binary/user about you're concerned? Well, this is not the way we normally do it in the audit world. This would capture both system and user events. Normally you want to focus on user events. So, if you correct this rule then you are still faced with it won't catch sourced files. Or the user could event start python and type the commands in directly. So, the way we normally do this is to use the key stroke logging. The main issue is that you won't get the meaning of up arrows and things like that. I think there are ways of restricting the history file and in memory history so that users cannot circumvent it. -Steve > On Thu, Oct 18, 2012 at 6:35 AM, Koresh... <koreshkumar@gmail.com> wrote: > > So if i am correct, there is no way we can get the normal user activity > > through auditd daemon ... > > > > Or , please suggest the best way to capture the activity logs for normal > > users .... > > > > On Thu, Oct 18, 2012 at 4:59 PM, Miloslav Trmac <mitr@redhat.com> wrote: > >> ----- Original Message ----- > >> > >> > So my question is why normal users audit event logs cant be captured > >> > as a "type=USER_TTY" , where as root logs can be captured > >> > similarway. > >> > >> USER_TTY is sent by the process that accepts the keyboard input. > >> Unprivileged users are not allowed to send audit records (otherwise they > >> would be able to fill the queue and/or the log partition, causing a DoS), > >> so the USER_TTY record is discarded. > >> > >> Even for unprivileged users you should have the type=TTY records, > >> although > >> they are noticeably more difficult to interpret. > >> > >> Mirek > > > > -- > > > > > > Thanks & Regards, > > > > - Koresh ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-10-18 17:02 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-17 2:51 Help on Audit Rules Koresh... 2012-10-17 14:37 ` Peter Moody 2012-10-18 1:39 ` Koresh... 2012-10-18 11:29 ` Miloslav Trmac 2012-10-18 13:35 ` Koresh... 2012-10-18 15:33 ` Peter Moody 2012-10-18 15:35 ` Peter Moody 2012-10-18 15:50 ` Peter Moody 2012-10-18 17:02 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox