<div dir="ltr"><div>Hi All,<br><br></div><div>Please ask me one question regarding about of RHEL security. To hack RHEL root privilege is possible or not ? Even this system didn't try to patch update CVE,RHSA and so on. <br><br></div><div>Thanks in advance for your feedback. <br><br><br></div><div>All the best,<br></div><div>-Aung<br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 14, 2016 at 10:30 PM, <span dir="ltr"><<a href="mailto:linux-audit-request@redhat.com" target="_blank">linux-audit-request@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Linux-audit mailing list submissions to<br>
<a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://www.redhat.com/mailman/listinfo/linux-audit" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:linux-audit-request@redhat.com">linux-audit-request@redhat.com</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:linux-audit-owner@redhat.com">linux-audit-owner@redhat.com</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Linux-audit digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Weird issues in 2.6.5 (Chris Nandor)<br>
2. [PATCH] Fix whitespace in CWD record (Steve Grubb)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 13 Jul 2016 15:22:01 -0700<br>
From: Chris Nandor <<a href="mailto:pudge@pobox.com">pudge@pobox.com</a>><br>
To: Steve Grubb <<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>><br>
Cc: <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a><br>
Subject: Re: Weird issues in 2.6.5<br>
Message-ID:<br>
<CAHcE2wrPftjsy2QMB4+qsa9o-S=<a href="mailto:xWqjiD%2BrtKX0wM24ksT0tkQ@mail.gmail.com">xWqjiD+rtKX0wM24ksT0tkQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
I set heartbeat to 60 on the client and idle to 120 on the server.<br>
Reconnects seem fine now, although I never did nail down the exact<br>
conditions under which reconnects failed.<br>
<br>
But I still have the problem of weird buffering on the client side. If I<br>
run `sudo ls` on the client side, locally I get something like:<br>
<br>
node=<a href="http://grax.sea.marchex.com" rel="noreferrer" target="_blank">grax.sea.marchex.com</a> type=SYSCALL<br>
msg=audit(1468448156.161:3288765): arch=c000003e syscall=59 success=yes<br>
exit=0 a0=8f81e8 a1=8f7578 a2=8febf0 a3=7ffd3d956370 items=2 ppid=19387<br>
pid=19388 auid=2288 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0<br>
tty=pts4 ses=399 comm="ls" exe="/bin/ls" key="rootcmd"<br>
node=<a href="http://grax.sea.marchex.com" rel="noreferrer" target="_blank">grax.sea.marchex.com</a> type=EXECVE<br>
msg=audit(1468448156.161:3288765): argc=1 a0="ls"<br>
node=<a href="http://grax.sea.marchex.com" rel="noreferrer" target="_blank">grax.sea.marchex.com</a> type=CWD msg=audit(1468448156.161:3288765):<br>
cwd="/tmp"<br>
node=<a href="http://grax.sea.marchex.com" rel="noreferrer" target="_blank">grax.sea.marchex.com</a> type=PATH msg=audit(1468448156.161:3288765):<br>
item=0 name="/bin/ls" inode=132438 dev=09:01 mode=0100755 ouid=0 ogid=0<br>
rdev=00:00<br>
node=<a href="http://grax.sea.marchex.com" rel="noreferrer" target="_blank">grax.sea.marchex.com</a> type=PATH msg=audit(1468448156.161:3288765):<br>
item=1 name=(null) inode=71179 dev=09:01 mode=0100755 ouid=0 ogid=0<br>
rdev=00:00<br>
<br>
But remotely, I just get:<br>
<br>
node=<a href="http://grax.sea.marchex.com" rel="noreferrer" target="_blank">grax.sea.marchex.com</a> type=SYSCALL<br>
msg=audit(1468448156.161:3288765): arch=c000003e syscall=59 success=yes<br>
exit=0 a0=8f81e8 a1=8f7578 a2=8febf0 a3=7ffd3d956370 items=2 ppid=19387<br>
pid=19388 auid=2288 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0<br>
tty=pts4 ses=399 comm="ls" exe="/bin/ls" key="rootcmd"<br>
<br>
Just the first line of the audit record. No matter how long I wait. If I<br>
then run `sudo ls` again, *then* the rest of the lines show up in the<br>
server's log.<br>
<br>
The buffering appears to be on the client side, because if I restart the<br>
server's auditd, those lines are not lost: they still appear in the remote<br>
log ... but not until the next time I run `sudo ls` on the client side.<br>
<br>
This is on 1.7.x. This does not happen on 2.4.x or 2.6.x.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On Wed, Jul 13, 2016 at 11:38 AM, Steve Grubb <<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>> wrote:<br>
<br>
> On Wednesday, July 13, 2016 10:51:07 AM EDT Chris Nandor wrote:<br>
> > The only reason I am even upgrading is because of the issues with<br>
> > audisp-remote, the not-reconnecting, and the apparent client-side<br>
> > buffering, that went away with 2.4.x and 2.6.x. So if we decide to ship<br>
> > logs a different way than with audisp-remote, then it might be best to<br>
> > stick with 1.7.x.<br>
><br>
> This sounds a lot like the idle detection is not set right. In audisp-<br>
> remote.conf there is a setting heartbeat_timeout. This should be set to<br>
> something like 60 or 120. Then on the server in auditd.conf there is a<br>
> setting<br>
> tcp_client_max_idle which should be over twice as high as<br>
> heartbeat_timeout.<br>
> So, you'd set it to 180 or 300.<br>
><br>
> > That said, so far I see no issues, so we're going to forge ahead and see<br>
> > what happens. I just need to keep in mind what our mitigation plan would<br>
> > be if we do run into issues.<br>
><br>
> Old utilities won't know what to do with enriched events. AFAICS, that<br>
> would<br>
> be the long term issue. You'll need to do aperl, awk, or cut command to<br>
> trim<br>
> off the unknown part of the event in your logs.<br>
><br>
> -Steve<br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://www.redhat.com/archives/linux-audit/attachments/20160713/023e5d70/attachment.html" rel="noreferrer" target="_blank">https://www.redhat.com/archives/linux-audit/attachments/20160713/023e5d70/attachment.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Thu, 14 Jul 2016 10:59:19 -0400<br>
From: Steve Grubb <<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>><br>
To: <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a><br>
Subject: [PATCH] Fix whitespace in CWD record<br>
Message-ID: <1772571.A9vuBSQyZx@x2><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Fix the whitespace in the CWD record<br>
<br>
Signed-off-by: Steve Grubb <<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>><br>
---<br>
kernel/auditsc.c | 2 +-<br>
1 file changed, 1 insertion(+), 1 deletion(-)<br>
<br>
diff -urp linux-4.7.0-0.rc4.git1.1.fc23.x86_64.orig/kernel/auditsc.c linux-4.7.0-0.rc4.git1.1.fc23.x86_64/kernel/auditsc.c<br>
--- linux-4.7.0-0.rc4.git1.1.fc23.x86_64.orig/kernel/auditsc.c 2016-06-25 12:44:41.756440052 -0400<br>
+++ linux-4.7.0-0.rc4.git1.1.fc23.x86_64/kernel/auditsc.c 2016-07-14 09:56:50.222227280 -0400<br>
@@ -1426,7 +1426,7 @@ static void audit_log_exit(struct audit_<br>
if (context->pwd.dentry && context->pwd.mnt) {<br>
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);<br>
if (ab) {<br>
- audit_log_d_path(ab, " cwd=", &context->pwd);<br>
+ audit_log_d_path(ab, "cwd=", &context->pwd);<br>
audit_log_end(ab);<br>
}<br>
}<br>
<br>
<br>
<br>
------------------------------<br>
<br>
--<br>
Linux-audit mailing list<br>
<a href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/linux-audit" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br>
<br>
End of Linux-audit Digest, Vol 142, Issue 18<br>
********************************************<br>
</blockquote></div><br></div></div>