From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Use case not covered by the audit library? Date: Wed, 06 Jan 2016 15:05:44 -0500 Message-ID: <8445926.khRdTJspS3@x2> References: <2812121.l6i04u8maX@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Gulland, Scott A" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Wednesday, January 06, 2016 06:03:58 PM Gulland, Scott A wrote: > > -----Original Message----- > > From: Steve Grubb [mailto:sgrubb@redhat.com] > > It has to be a field name that auparse expects to be encoded. > > > > > So I plan on using the "op", "data" and "euid" fields. > > > > euid would be a kernel originating field name. User space could lie about > > it. The kernel is the only thing that knows the truth. > > Unfortunately, that is not true for HTTP servers which run as root but > authenticates the true user issuing the REST request. The authentication > is done through PAM. The HTTP server then carries out the action on behalf > of that user. The kernel thinks it's a root user, but the HTTP server > knows otherwise. It sounds like there is no way for a trusted user app to > inject the correct uid into the audit event. Would you recommend I use > the "user" field instead of "euid" to indicate who is issuing the request? > > > Only the data field needs to encoded and ausearch does decode this > > > > > > field correctly. My message text would look like: > > > "op= data= euid=" > > > > > > When I was using ausearch I expected to be able to find events by uid > > > using either the "-ua" or "-ue" option that would match the euid > > > field's value, > > > > but no matching events were found. Is this expected behavior? > > > > What is the record type? ausearch is optimized to expect certain record > > types to have fields in a specific order. > > I am using the AUDIT_USYS_CONFIG event type as I would like to use > "aureport -c" to get a summary of the configuration changes to the switch. > As an alternative, I could use the AUDIT_TRUSTED_APP event type. The USYS_CONFIG event is like this: type=USYS_CONFIG msg=audit(1389095562.552:540): pid=2249 uid=0 auid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=change-system- time exe="/usr/sbin/hwclock" hostname=? addr=? terminal=pts/0 res=success' The kernel supplies all the pieces up to the msg= portion. After that is what you build. The only real field the event writer does is the op= field, The rest are supplied by libaudit. Ausearch does not parse the op= field. What I would suggest in a case like this is to create a small utility that generates the exact report that you want. The auparse library makes that super easy. I can dig up the skeleton code for something like this if you want. -Steve > > > The "-I" option did correctly convert the euid into the user name. > > > > Interpreting and searching are different areas of the code base and are > > independent. Interpreting is done after searching. No need to interpret > > fields > > that will never be output.