From mboxrd@z Thu Jan 1 00:00:00 1970 From: Gary Smith Subject: Problem with audisp-prelude/auparse on Fedora 10 Date: Tue, 06 Jan 2009 16:40:13 -0800 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1768515395==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n070epqW026445 for ; Tue, 6 Jan 2009 19:40:51 -0500 Received: from emailgw01.pnl.gov (emailgw01.pnl.gov [192.101.109.33]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n070eVMj020362 for ; Tue, 6 Jan 2009 19:40:32 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --===============1768515395== Content-type: multipart/alternative; boundary="B_3314104814_1923290" > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3314104814_1923290 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Hello All, I've been working on getting audit/audisp-prelude/prelude set up on Fedora 10 and run into the situation where it appears that audisp-prelude is not triggering on watched syscall event. The system is running Fedora 10 with the 2.6.27.9-159.fc10 kernel and audit and audispd-plugins 1.7.10 and the host of prelude software and libraries. = I followed Steve=B9s HOWTO on installing and configuring audit and prelude and got it all installed without difficulties. After the configuration, I restarted auditd and saw that ausdispd and audisp-prelude were running and so was prelude-manager and mysql. After starting up the prewikka-httpd and pointed the web browser at the system, I tried a few things, like logging i= n and out successfully and unsuccessfully. I was pleased to see that the events pop up in the browser window. I did some more tests wherein I caused programs to seg fault and these events got recorded too. Needless to say I was impressed. Next I used the system-config-audit GUI tool to create some watch point on files with the ids-type-severity set to get audisp-prelude=B9s attention. Here=B9s the listing of the rules from auditctl =ADl: LIST_RULES: exit,always watch=3D/etc/shadow perm=3Drwxa key=3Dids-file-hi LIST_RULES: exit,always watch=3D/bin/ping perm=3Dx key=3Dids-exec-inf I restarted auditd and ran ping. Nothing showed up in the browser window. I ran ping again, several times. Nothing at all. I did some things to /etc/shadow and nothing. I did an ausearch for the key=3Dids-exec-inf and got something like this: time->Wed Dec 31 13:42:53 2008 node=3Ddr-who.timelord.com type=3DPATH msg=3Daudit(1230759773.835:118): item=3D1 name=3D(null) inode=3D16564 dev=3Dfd:00 mode=3D0100755 ouid=3D0 ogid=3D0 rdev=3D00:00 obj=3Dsystem_u:object_r:ld_so_t:s0 node=3Ddr-who.timelord.com type=3DPATH msg=3Daudit(1230759773.835:118): item=3D0 name=3D"/bin/ping" inode=3D417854 dev=3Dfd:00 mode=3D0104755 ouid=3D0 ogid=3D0 rdev=3D00:00 obj=3Dsystem_u:object_r:ping_exec_t:s0 node=3Ddr-who.timelord.com type=3DCWD msg=3Daudit(1230759773.835:118): cwd=3D"/home/gsm ith" node=3Ddr-who.timelord.com type=3DEXECVE msg=3Daudit(1230759773.835:118): argc=3D4 a0=3D"ping" a1=3D"-c" a2=3D"5" a3=3D"10.0.2.2" node=3Ddr-who.timelord.com type=3DSYSCALL msg=3Daudit(1230759773.835:118): arch=3D40000003 syscall=3D11 success=3Dyes exit=3D0 a0=3D94b4eb0 a1=3D94b3390 a2=3D94b9e2= 0 a3=3D0 items=3D2 ppid=3D17687 pid=3D17773 auid=3D500 uid=3D500 gid=3D500 euid=3D0 suid=3D0 fsuid=3D0 egid=3D500 sgid=3D500 fsgid=3D500 tty=3Dpts3 ses=3D7 comm=3D"ping" exe=3D"/bin/ping" subj=3Dunconfined_u:unconfined_r:unconfined_t:s0 key=3D"ids-exec-info" So, it looks like the records watch points are firing and getting into the audit log. Then I did and aureport =8Bsummary =ADk Key Summary Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D total file =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 112 ids-file-hi 16 ids-exec-inf So both ausearch and aureport can find the keys and interpret them. Next, I did ausearch =8Braw =ADk ids-file-hi > test.log and audisp-prelude =8Btes= t < ./test.log Nothing happened. All I got was =B3audisp-prelude is exiting on stop request=B2= . I was confused about what was happening. Why do 2 program see the keys and not the one other? So I downloaded the source (audit-1.7.10.tar.gz) and rebuilt the audit package with prelude. When I executed the locally built audisp-prelude as above, I got the same result. Looking thru the code, the file audisp_prelude.c has a function called handle_watched_syscalls. After playing around with putting debug statements into the code and reruning the test, over several runs, it looks like auparse_find_field is not finding the =B3key=B2 field. The reason ausearch and aureport can find the =B3key=B2 field is that they don=B9t use auparse. I edited the test.log file and moved the =B3key=B2 fields to the start of the record and ran the test; no difference. Next, I modified the source to audisp-prelude.= c so that instead of looking for =B3key=B2 to introduce =B3ids-=B2 info, handle_watched_syscalls would look for =B3subj=B2 instead (I picked this one since I had seen that ausparse_find_field could find this field). I edited the test.log to replace =B3key=3D=B2 with =B3subj=3D=B2 and reran the test. This time I got output: version: alert: analyzer(0): analyzerid: 4123513432298101 name: auditd manufacturer: Red Hat, http://people.redhat.com/sgrubb/audit/ model: auditd version: 1.7.10 class: HIDS ostype: Linux osversion: 2.6.27.9-159.fc10.i686 node: category: unknown (0) name: localhost.localdomain process: name: lt-audisp-prelude pid: 3661 path: /home/gsmith/Projects/audit-1.7.10/audisp/plugins/prelude/.libs/lt-audisp-p= r elude create_time: 06/01/2009 15:28:34.312712 -08:00 classification: detect_time: 31/12/2008 10:08:16.0 -08:00 source(0):=20 spoofed: unknown (0) node: category: hosts (6) name: dr-who.timelord.com user: category: application (1) user_id(0): type: original-user (0) tty: pts1 name: gsmith number: 500 process: name: ping pid: 3391 path: /bin/ping target(0):=20 decoy: unknown (0) node: category: hosts (6) name: dr-who.timelord.com file(0): text: Watched Executable name: ping path: /bin/ping category: current (1) assessment: impact: severity: info (1) completion: succeeded (2) type: user (5) description: A user has attempted to execute a program t hat is being watched. additional_data(0): type: string (0) meaning: Execve args data: a0=3Dping a1=3D-c a2=3D5 a3=3D10.0.2.2 additional_data(1): type: string (0) meaning: Audit event serial # data: 66 Looking further, I found auparse_find_next calls nvlist_find_name in nvlist.c. I added some debug statements to nvlist_find_name, and it seems t= o never compare its linked list of names to against =B3key=B2. So, I=B9m guessing that the linked list is not built correctly. So, have I been barking up the wrong tree on why audisp-prelude does not trigger on =B3key=3Dids-=B2 type of fields? Any comments would be greatly appreciated. Best regards, Gary Smith --B_3314104814_1923290 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Problem with audisp-prelude/auparse on Fedora 10 Hello= All,

I've been working on getting audit/audisp-prelude/prelude set up on Fedora = 10 and run into the situation where it appears that audisp-prelude is not tr= iggering on watched syscall event.

The system is running Fedora 10 with the 2.6.27.9-159.fc10 kernel and audit= and audispd-plugins 1.7.10 and the host of prelude software and libraries. = I followed Steve’s HOWTO on installing and configuring audit and prelu= de and got it all installed without difficulties. After the configuration, I= restarted auditd and saw that ausdispd and audisp-prelude were running and = so was prelude-manager and mysql. After starting up the prewikka-httpd and p= ointed the web browser at the system, I tried a few things, like logging in = and out successfully and unsuccessfully. I was pleased to see that the event= s pop up in the browser window. I did some more tests wherein I caused progr= ams to seg fault and these events got recorded too. Needless to say I was im= pressed. Next I used the system-config-audit GUI tool to create some watch p= oint on files with the ids-type-severity set to get audisp-prelude’s a= ttention. Here’s the listing of the rules from auditctl –l:

LIST_RULES: exit,always watch=3D/etc/shadow perm=3Drwxa key=3Dids-file-hi
LIST_RULES: exit,always watch=3D/bin/ping perm=3Dx key=3Dids-exec-inf

I restarted auditd and ran ping. Nothing showed up in the browser window. I= ran ping again, several times. Nothing at all. I did some things to /etc/sh= adow and nothing. I did an ausearch for the key=3Dids-exec-inf and got somethi= ng like this:

time->Wed Dec 31 13:42:53 2008
node=3Ddr-who.timelord.com type=3DPATH msg=3Daudit(1230759773.835:118): item=3D1 na= me=3D(null) inode=3D16564 dev=3Dfd:00 mode=3D0100755 ouid=3D0 ogid=3D0 rdev=3D00:00 obj=3Dsy= stem_u:object_r:ld_so_t:s0 node=3Ddr-who.timelord.com type=3DPATH msg=3Daudit(1230= 759773.835:118): item=3D0 name=3D"/bin/ping" inode=3D417854 dev=3Dfd:00 mo= de=3D0104755 ouid=3D0 ogid=3D0 rdev=3D00:00 obj=3Dsystem_u:object_r:ping_exec_t:s0
node=3Ddr-who.timelord.com type=3DCWD msg=3Daudit(1230759773.835:118):  cwd=3D= "/home/gsm
ith" node=3Ddr-who.timelord.com type=3DEXECVE msg=3Daudit(1230759773.835:118= ): argc=3D4 a0=3D"ping" a1=3D"-c" a2=3D"5" a3=3D"10= .0.2.2"
node=3Ddr-who.timelord.com type=3DSYSCALL msg=3Daudit(1230759773.835:118): arch=3D4= 0000003 syscall=3D11 success=3Dyes exit=3D0 a0=3D94b4eb0 a1=3D94b3390 a2=3D94b9e20 a3=3D0 = items=3D2 ppid=3D17687 pid=3D17773 auid=3D500 uid=3D500 gid=3D500 euid=3D0 suid=3D0 fsuid=3D0 = egid=3D500 sgid=3D500 fsgid=3D500 tty=3Dpts3 ses=3D7 comm=3D"ping" exe=3D"/= bin/ping" subj=3Dunconfined_u:unconfined_r:unconfined_t:s0 key=3D"ids-= exec-info"

So, it looks like the records watch points are firing and getting into the = audit log.

Then I did and aureport —summary –k

Key Summary Report
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
total  file
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
112  ids-file-hi
16  ids-exec-inf

So both ausearch and aureport can find the keys and interpret them.

Next, I did ausearch —raw –k ids-file-hi > test.log and audi= sp-prelude —test < ./test.log

Nothing happened. All I got was “audisp-prelude is exiting on stop re= quest”.

I was confused about what was happening. Why do 2 program see the keys and = not the one other?

So I downloaded the source (audit-1.7.10.tar.gz) and rebuilt the audit pack= age with prelude. When I executed the locally built audisp-prelude as above,= I got the same result.

Looking thru the code, the file audisp_prelude.c has a function called hand= le_watched_syscalls. After playing around with putting debug statements into= the code and reruning the test, over several runs, it looks like auparse_fi= nd_field is not finding the “key” field. The reason ausearch and= aureport can find the “key” field is that they don’t use = auparse. I edited the test.log file and moved the “key” fields t= o the start of the record and ran the test; no difference. Next, I modified = the source to audisp-prelude.c so that instead of looking for “keyR= 21; to introduce “ids-” info, handle_watched_syscalls would look= for “subj” instead (I picked this one since I had seen that aus= parse_find_field could find this field). I edited the test.log to replace &#= 8220;key=3D” with “subj=3D” and reran the test. This time I go= t output:

version: <empty>
alert:
        analyzer(0):
            &nb= sp;   analyzerid: 4123513432298101
            &nb= sp;   name: auditd
            &nb= sp;   manufacturer: Red Hat, http://people.redhat.com/sgrubb/audit/
            &nb= sp;   model: auditd
            &nb= sp;   version: 1.7.10
            &nb= sp;   class: HIDS
            &nb= sp;   ostype: Linux
            &nb= sp;   osversion: 2.6.27.9-159.fc10.i686
            &nb= sp;   node:
            &nb= sp;           categor= y: unknown (0)
            &nb= sp;           name: l= ocalhost.localdomain
            &nb= sp;   process:
            &nb= sp;           name: l= t-audisp-prelude
            &nb= sp;           pid: 36= 61
            &nb= sp;           path: /= home/gsmith/Projects/audit-1.7.10/audisp/plugins/prelude/.libs/lt-audisp-pre= lude
        create_time: 06/01/2009 15:= 28:34.312712 -08:00
        classification:
        detect_time: 31/12/2008 10:= 08:16.0 -08:00
        source(0):
            &nb= sp;   spoofed: unknown (0)
            &nb= sp;   node:
            &nb= sp;           categor= y: hosts (6)
            &nb= sp;           name: d= r-who.timelord.com
            &nb= sp;   user:
            &nb= sp;           categor= y: application (1)
            &nb= sp;           user_id= (0):
            &nb= sp;            &= nbsp;      type: original-user (0)
            &nb= sp;            &= nbsp;      tty: pts1
            &nb= sp;            &= nbsp;      name: gsmith
            &nb= sp;            &= nbsp;      number: 500
            &nb= sp;   process:
            &nb= sp;           name: p= ing
            &nb= sp;           pid: 33= 91
            &nb= sp;           path: /= bin/ping
        target(0):
            &nb= sp;   decoy: unknown (0)
            &nb= sp;   node:
            &nb= sp;           categor= y: hosts (6)
            &nb= sp;           name: d= r-who.timelord.com
            &nb= sp;   file(0):        &nbs= p;        text: Watched Executable             &nb= sp;           name: p= ing
            &nb= sp;           path: /= bin/ping
            &nb= sp;           categor= y: current (1)
        assessment:
            &nb= sp;   impact:
            &nb= sp;           severit= y: info (1)
            &nb= sp;           complet= ion: succeeded (2)
            &nb= sp;           type: u= ser (5)
            &nb= sp;           descrip= tion: A user has attempted to execute a program t
hat is being watched.
        additional_data(0):
            &nb= sp;   type: string (0)
            &nb= sp;   meaning: Execve args
            &nb= sp;   data: a0=3Dping a1=3D-c a2=3D5 a3=3D10.0.2.2
        additional_data(1):
            &nb= sp;   type: string (0)
            &nb= sp;   meaning: Audit event serial #
            &nb= sp;   data: 66

Looking further, I found auparse_find_next calls nvlist_find_name in nvlist= .c. I added some debug statements to nvlist_find_name, and it seems to never= compare its linked list of names to against “key”. So, I’= m guessing that the linked list is not built correctly.

So, have I been barking up the wrong tree on why audisp-prelude does not tr= igger on “key=3Dids-” type of fields? Any comments would be greatl= y appreciated.

Best regards,

Gary Smith
 --B_3314104814_1923290-- --===============1768515395== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1768515395==--