Problem with audisp-prelude/auparse on Fedora 10
Gary Smith
gary.smith at pnl.gov
Wed Jan 7 00:40:13 UTC 2009
Hello All,
I've been working on getting audit/audisp-prelude/prelude set up on Fedora
10 and run into the situation where it appears that audisp-prelude is not
triggering on watched syscall event.
The system is running Fedora 10 with the 2.6.27.9-159.fc10 kernel and audit
and audispd-plugins 1.7.10 and the host of prelude software and libraries. I
followed Steve¹s HOWTO on installing and configuring audit and prelude and
got it all installed without difficulties. After the configuration, I
restarted auditd and saw that ausdispd and audisp-prelude were running and
so was prelude-manager and mysql. After starting up the prewikka-httpd and
pointed the web browser at the system, I tried a few things, like logging in
and out successfully and unsuccessfully. I was pleased to see that the
events pop up in the browser window. I did some more tests wherein I caused
programs to seg fault and these events got recorded too. Needless to say I
was impressed. Next I used the system-config-audit GUI tool to create some
watch point on files with the ids-type-severity set to get audisp-prelude¹s
attention. Here¹s the listing of the rules from auditctl l:
LIST_RULES: exit,always watch=/etc/shadow perm=rwxa key=ids-file-hi
LIST_RULES: exit,always watch=/bin/ping perm=x key=ids-exec-inf
I restarted auditd and ran ping. Nothing showed up in the browser window. I
ran ping again, several times. Nothing at all. I did some things to
/etc/shadow and nothing. I did an ausearch for the key=ids-exec-inf and got
something like this:
time->Wed Dec 31 13:42:53 2008
node=dr-who.timelord.com type=PATH msg=audit(1230759773.835:118): item=1
name=(null) inode=16564 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0 node=dr-who.timelord.com type=PATH
msg=audit(1230759773.835:118): item=0 name="/bin/ping" inode=417854
dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ping_exec_t:s0
node=dr-who.timelord.com type=CWD msg=audit(1230759773.835:118):
cwd="/home/gsm
ith" node=dr-who.timelord.com type=EXECVE msg=audit(1230759773.835:118):
argc=4 a0="ping" a1="-c" a2="5" a3="10.0.2.2"
node=dr-who.timelord.com type=SYSCALL msg=audit(1230759773.835:118):
arch=40000003 syscall=11 success=yes exit=0 a0=94b4eb0 a1=94b3390 a2=94b9e20
a3=0 items=2 ppid=17687 pid=17773 auid=500 uid=500 gid=500 euid=0 suid=0
fsuid=0 egid=500 sgid=500 fsgid=500 tty=pts3 ses=7 comm="ping"
exe="/bin/ping" subj=unconfined_u:unconfined_r:unconfined_t:s0
key="ids-exec-info"
So, it looks like the records watch points are firing and getting into the
audit log.
Then I did and aureport ‹summary k
Key Summary Report
===========================
total file
===========================
112 ids-file-hi
16 ids-exec-inf
So both ausearch and aureport can find the keys and interpret them.
Next, I did ausearch ‹raw k ids-file-hi > test.log and audisp-prelude ‹test
< ./test.log
Nothing happened. All I got was ³audisp-prelude is exiting on stop request².
I was confused about what was happening. Why do 2 program see the keys and
not the one other?
So I downloaded the source (audit-1.7.10.tar.gz) and rebuilt the audit
package with prelude. When I executed the locally built audisp-prelude as
above, I got the same result.
Looking thru the code, the file audisp_prelude.c has a function called
handle_watched_syscalls. After playing around with putting debug statements
into the code and reruning the test, over several runs, it looks like
auparse_find_field is not finding the ³key² field. The reason ausearch and
aureport can find the ³key² field is that they don¹t use auparse. I edited
the test.log file and moved the ³key² fields to the start of the record and
ran the test; no difference. Next, I modified the source to audisp-prelude.c
so that instead of looking for ³key² to introduce ³ids-² info,
handle_watched_syscalls would look for ³subj² instead (I picked this one
since I had seen that ausparse_find_field could find this field). I edited
the test.log to replace ³key=² with ³subj=² and reran the test. This time I
got output:
version: <empty>
alert:
analyzer(0):
analyzerid: 4123513432298101
name: auditd
manufacturer: Red Hat,
http://people.redhat.com/sgrubb/audit/
model: auditd
version: 1.7.10
class: HIDS
ostype: Linux
osversion: 2.6.27.9-159.fc10.i686
node:
category: unknown (0)
name: localhost.localdomain
process:
name: lt-audisp-prelude
pid: 3661
path:
/home/gsmith/Projects/audit-1.7.10/audisp/plugins/prelude/.libs/lt-audisp-pr
elude
create_time: 06/01/2009 15:28:34.312712 -08:00
classification:
detect_time: 31/12/2008 10:08:16.0 -08:00
source(0):
spoofed: unknown (0)
node:
category: hosts (6)
name: dr-who.timelord.com
user:
category: application (1)
user_id(0):
type: original-user (0)
tty: pts1
name: gsmith
number: 500
process:
name: ping
pid: 3391
path: /bin/ping
target(0):
decoy: unknown (0)
node:
category: hosts (6)
name: dr-who.timelord.com
file(0): text: Watched Executable
name: ping
path: /bin/ping
category: current (1)
assessment:
impact:
severity: info (1)
completion: succeeded (2)
type: user (5)
description: A user has attempted to execute a
program t
hat is being watched.
additional_data(0):
type: string (0)
meaning: Execve args
data: a0=ping a1=-c a2=5 a3=10.0.2.2
additional_data(1):
type: string (0)
meaning: Audit event serial #
data: 66
Looking further, I found auparse_find_next calls nvlist_find_name in
nvlist.c. I added some debug statements to nvlist_find_name, and it seems to
never compare its linked list of names to against ³key². So, I¹m guessing
that the linked list is not built correctly.
So, have I been barking up the wrong tree on why audisp-prelude does not
trigger on ³key=ids-² type of fields? Any comments would be greatly
appreciated.
Best regards,
Gary Smith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090106/c7d833a5/attachment.htm>
More information about the Linux-audit
mailing list