audisp-prelude problems

Loredan Stancu loredan.stancu at myclar.ro
Wed Dec 3 17:58:24 UTC 2008 

> On Wednesday 03 December 2008 09:57:48 Loredan Stancu wrote:
>> >> 1. audisp-prelude plugin is not generating events when a user is
>> logged
>> >> in.
>> >
>> > Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN
>> > Without that, you won't see anything.
>>
>> This is the problem that no USER_LOGIN appears in the log file. No
>> events
>> are generated when a user is logged in.
>
> You likely need to compile openssh with a "--with-linux-audit" option to
> the
> configure line. If your distribution does not have the openssh audit
> patch, you
> can find it here:
>
> http://cvs.fedora.redhat.com/viewvc/devel/openssh/openssh-4.7p1-
> audit.patch?revision=1.1

Another question: Can auditd generate events when a user is logging in
using ssh? That implies ssh use pam? I ask this because I want use audit
in a production server and I'm not allowed to manually install packages. I
am allowed to only use emerge to install packages. At this moment I do not
have a USE flag(gentoo specific) corresponding to --with-linux-audit.

@Steve :) : Can you help me please with audisp-remote? I'll explain again
what I want to do:
Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
M3 is a centralized machine events. On M1 and M2 runs auditd and
audisp-remote.
audisp-remote sends events to M3. I know how to configure auditd and
audisp-remote on M1 and M3. What I don't know is what should I do on M3 so
that it can receive events from M1 and M2 and store this events in regular
file.

After this is clarified I'll see haw should I do to separate events based
on the node machine(M1 and M2).

>
>> >> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager
>> >
>> > For which event? The loginuid is mostly what I concentrated on since
>> that
>> > tells you how they got into the machine.
>>
>> For any events. I am using prelude-manager and prewikka and I can't see
>> any uid or gid of any events.
>
> I'll check what I'm collecting. But I'm sure that loginuid should be there
> whenever its relevant.
>
>
>> >> 3. No events are generate for watched files/exec/mk_exe  if no tow -k
>> >> options are specified in the rule. One of the -k options should
>> contain
>> >> '-k ids-type-severity' and another -k may contain anything. If you
>> >> specify
>> >> only one -k options no events are generated.
>> >
>> > You need 2 rules to cover this:
>> >
>> > auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F
>> > filetype=file
>> >   -k ids-mkexe-hi
>> > auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111'
>> >   -F filetype=file -k ids-mkexe-hi
>> >
>> > It works fine on my system. Also note that it depends on having a
>> recent
>> > kernel.
>>
>> On Gentoo linux I'm using kernel version 2.6.26-gentoo-r3 and on Debian
>> system I'm using kernel version 2.6.26-1-686
>> In both kernels I have support for audit and inotify.
>
> And you are able to load and list the 2 rules I sent above? Can you find
> the
> results with ausearch --start today -k mkexe -m SYSCALL ? You might also
> strace the app that's making executables that you are trying to catch to
> make
> sure you have a rule that will catch it.

Yes, I could load that rules and this is what si loaded when a file gets
eecution rights:

type=SYSCALL msg=audit(1228324240.067:14): arch=40000003 syscall=306
success=yes exit=0 a0=ffffff9c a1=80550b8 a2=1ed a3=80550b8 items=1
ppid=7828 pid=16847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chmod"
exe="/bin/chmod" key="ids-mkexe-hi"
type=CWD msg=audit(1228324240.067:14):  cwd="/usr/local/audit"
type=PATH msg=audit(1228324240.067:14): item=0
name="/home/darkone/testfile" inode=65247 dev=08:03 mode=0100644 ouid=1000
ogid=1000 rdev=00:00


>> >> Another question is how I can use audisp-remote to send events
>> somewhere
>> >> remote?
>
> I think I answered this in the other email, but to be clear, the
> audisp-remote
> plugin wants to talk to a remove audit daemon. So the chain of custody for
> an
> event looks like:
>
> kernel->auditd->audispd->audisp-remote->auditd->file
>
> -Steve
>

More information about the Linux-audit mailing list