Tools for reviewing audit logs ?
Wieprecht, Karen M.
Karen.Wieprecht at jhuapl.edu
Wed Dec 13 16:45:37 UTC 2006
>> It would be helpful to me to know what your use cases/requirements
are.
I guess the main thing we want is to make the audit data easier to
understand when we are reviewing it, and I'd rather not have to issue
multiple ausearch commands per machine times n systems to get an
overview of possible wrongdoing on the machine ... Certainly I can use
those tools to investigate further if I see something suspicious.
I'll have to see if I can find the script you mentioned online somewhere
and see if it's close to what I want. If not, here's a feel for what
we'd be interested in as a bare minimum, and certainly any improvements
would be even better.
Here is a sample of what I did with some test audit output on Solaris
10. The perl scripts that I have written for Irix, Solaris, and Mac OSX
aren't super savvy, but they pull the data into a key value hash table
so I can reformat it into a more english-like format (and I throw out
stuff my site doesn't care about like file access failures that are
caused by "file not found" rather than permission problems). Except
for irix (where I shoot converted stuff to a central host via the syslog
facility), my scripts also manage the audit data to keep it to a
manageable size, move it to a central place where I can keep straight
which data has or has not already been reviewed, and let me review audit
logs on multiple machines all at once. I wrote these scripts for
Solaris 8 before I knew about snare, then I ported them to mac OSX
(again, snare wasn't available on that platform), and then ported them
again to Solaris 10 before a snare version was available there. I use
my scripts in conjuntion with snare on Irix to make the audit data
easier to read. Here is a samplae of the converted solaris 10 output:
-------------------------------------------------------------------
(invalid user) FAILED to telnet into oldpatton from
oldzumwalt: No account present for user on 2005-09-28
15:41:29.608 -04:00
rick FAILED to ftp into oldpatton from oldzumwalt: bad
password on 2005-09-28 15:42:00.448 -04:00
rick FAILED to ftp into oldpatton from oldzumwalt: misc
failure on 2005-09-28 15:42:00.451 -04:00
root successful rlogin into oldpatton from oldzumwalt
on 2005-09-28 15:42:06.297 -04:00
root logged out of oldpatton on 2005-09-28 15:42:15.065 -04:00
karen successful rlogin into oldpatton from oldzumwalt
on 2005-09-28 15:42:25.127 -04:00
karen as root on oldpatton ran setaudit_addr(2) on 2005-09-28
15:42:30.905 -04:00 ****
karen as root on oldpatton ran su root on 2005-09-28
15:42:30.908 -04:00
karen as root on oldpatton ran setaudit_addr(2) on 2005-09-28
15:42:35.190 -04:00 ****
karen as root on oldpatton ran su rick on 2005-09-28
15:42:35.193 -04:00
karen as rick on oldpatton FAILED to modify time on /etc/shadow:
Permission denied on 2005-09-28 15:42:40.262 -04:00
karen as rick on oldpatton FAILED to remove /etc/shadow:
Permission denied on 2005-09-28 15:42:46.506 -04:00
karen as root on oldpatton FAILED to su thomas: bad username
on 2005-09-28 15:44:05.870 -04:00
karen as root on oldpatton FAILED to su dan: bad auth.
on 2005-09-28 15:44:15.811 -04:00
(invalid user) FAILED to ftp into oldpatton from oldpatton:
bad password on 2005-09-28 15:45:03.703 -04:00
(invalid user) FAILED to ftp into oldpatton from oldpatton:
misc failure on 2005-09-28 15:45:03.705 -04:00
rick FAILED to ftp into oldpatton from oldpatton: bad
password on 2005-09-28 15:45:15.391 -04:00
rick FAILED to ftp into oldpatton from oldpatton: misc
failure on 2005-09-28 15:45:15.394 -04:00
dan FAILED to telnet into oldpatton from oldpatton:
Authentication failed on 2005-09-28 15:45:26.661 -04:00
karen on oldpatton FAILED to open /etc/security/policy.conf:
Permission denied on 2005-09-28 15:45:38.063 -04:00
karen on oldpatton FAILED to rmdir
/home/karen/.sunw/pkcs11_softtoken: File exists on 2005-09-28
15:45:38.112 -04:00
karen on oldpatton FAILED to open
/dev/devices/pseudo/random at 0:urandom: Permission denied
on 2005-09-28 15:45:38.148 -04:00
(invalid user) FAILED to ssh into oldpatton from oldpatton:
Authentication failed on 2005-09-28 15:45:48.094 -04:00
karen on oldpatton FAILED to mkdir
/home/karen/.sunw/pkcs11_softtoken: File exists on 2005-09-28
15:46:07.587 -04:00
karen on oldpatton FAILED to open
/dev/devices/pseudo/random at 0:urandom: Permission denied
on 2005-09-28 15:46:07.602 -04:00
(invalid user) FAILED to ssh into oldpatton from oldpatton:
Authentication failed on 2005-09-28 15:46:13.153 -04:00
karen on oldpatton FAILED to modify time on /var/audit:
Permission denied on 2005-09-28 15:46:22.179 -04:00
karen on oldpatton FAILED to modify time on /etc/shadow:
Permission denied on 2005-09-28 15:46:29.514 -04:00
karen on oldpatton FAILED to open /etc/shadow: Permission
denied on 2005-09-28 15:46:47.469 -04:00
karen on oldpatton FAILED to create /etc/shadow: Permission
denied on 2005-09-28 15:47:10.423 -04:00
karen logged out of oldpatton on 2005-09-28 15:47:32.486
-04:00
----------------------------------------------------------------
I realize that the tabs/spaces don't line up, but I sort the output,
and even though the entries are no longer in chronological order,
similar records are grouped, the sentences read like english instead of
scrambled garbage, and it's pretty easy to visually scan through the
data. Savvy programmers might do something better than this, but it's
simple and it beats the pants of off looking at the raw Solaris audit
data:
----------------------------------------------------------------
# << --- *snip* ---->>
header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:42:35.191
-04:00,subject,karen,root,root,root,root,10377,3015119284,242 513
oldzumwalt,use of privilege,successful use of
priv,sys_audit,return,success,0
header,94,2,su,,oldpatton,2005-09-28 15:42:35.193
-04:00,subject,karen,root,root,root,root,10377,3015119284,242 513
oldzumwalt,text,success for user rick,return,success,0
header,137,2,utimes(2),fe,oldpatton,2005-09-28 15:42:40.262
-04:00,path,/etc/shadow,attribute,100400,root,sys,32,50382,0,subject,kar
en,rick,users,rick,users,10381,3015119284,242 513 oldzumwalt,use of
privilege,failed use of priv,ALL,return,failure: Permission denied,-1
header,137,2,unlink(2),fe,oldpatton,2005-09-28 15:42:46.506
-04:00,path,/etc/shadow,attribute,100400,root,sys,32,50382,0,subject,kar
en,rick,users,rick,users,10382,3015119284,242 513 oldzumwalt,use of
privilege,failed use of priv,ALL,return,failure: Permission denied,-1
header,166,2,symlink(2),fe,oldpatton,2005-09-28 15:43:39.253
-04:00,path,/var/audit/fileshouldntbeallowedindirwhereuserhasnopermissio
n,subject,karen,rick,users,rick,users,10383,3015119284,242 513
oldzumwalt,use of privilege,failed use of
priv,file_dac_search,return,failure: Permission denied,-1
header,214,2,link(2),fe,oldpatton,2005-09-28 15:43:55.986
-04:00,path,/etc/passwd,attribute,100644,root,sys,32,50381,0,path,/var/a
udit/fileshouldntbeallowedindirwhereuserhasnopermission,subject,karen,ri
ck,users,rick,users,10384,3015119284,242 513 oldzumwalt,use of
privilege,failed use of priv,file_dac_search,return,failure: Permission
denied,-1
header,81,2,auditon(2) - get audit state,,oldpatton,2005-09-28
15:44:05.859
-04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513
oldzumwalt,return,success,0
header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:44:05.866
-04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513
oldzumwalt,use of privilege,successful use of
priv,sys_audit,return,success,0
header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:44:05.866
-04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513
oldzumwalt,use of privilege,successful use of
priv,sys_audit,return,success,0
header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:44:05.868
-04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513
oldzumwalt,use of privilege,successful use of
priv,sys_audit,return,success,0
# << --- *snip* ---->>
Thanks,
Karen Wieprecht
-Steve
More information about the Linux-audit
mailing list