filtering system calls with auid -1

ocakan ocakan at gmail.com
Wed Nov 18 14:54:58 UTC 2015 

Hello Steve!

Thank you for your feedback. Somehow I still do not fully understand how
the filtering with -F works.

Regarding your questions: commands executed by root user, including
subshells, subcmds from script are fine for me.

I altered my audit.rules as you suggested to the following, no other rules:
auditctl -l:
-a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
-a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0

I get entries from crond like the following in audit.log:
type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'

What I do not get now are commands executed as root user from ptsX/ttyX.

root at myhost ~# cat /etc/passwd # no audit entry
root at myhost ~# service rsyslog stop # no audit entry
root at myhost ~# less /var/log/audit/audit.log # no audit entry
root at myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE
entry

Cheers,
Orhan


2015-11-17 20:55 GMT+01:00 Steve Grubb <sgrubb at redhat.com>:

> On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote:
> > My aim is to audit only commands executed by root (interactively) and avc
> > denied messages (selinux)
>
> I have some questions to help clarify. Command executed by root, or the
> root
> user? Root is uid = 0, Root user is uid = 0 && auid >= 500 && auid!= -1.
> (the
> audit system treats all uid as unsigned numbers therefore auid = -1 is a
> large
> unsigned number.)
>
> Also when you say commands, what do you mean? What root types on the
> console?
> What if that is a shell script that in turn executes many other programs
> and
> scripts?
>
>
> > Some details about my audit-test-system and current audit configuration.
>
> <snip>
>
> > ### auditctl -l:
> > -a never,exit -S all -F auid!=-1
>
> This says you want to mark all user processes permanently unauditable.
>
> > -a never,exit -S all -F auid!=0 -F auid<500
>
> I don't think this adds anything because the previous one includes this.
>
> > -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands
> > -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands
>
> Now you want execve run by anything that's not a user, meaning cron jobs
> and
> system services.
>
> > -a always,exclude -F msgtype=CWD
>
> And this says you don't care about reconstructing relative paths.
>
>
> > ### auditctl -s:
> > AUDIT_STATUS: enabled=1 flag=1 pid=4232 rate_limit=0 backlog_limit=8192
> > lost=0 backlog=0
> >
> > ### /etc/init.d/auditd status:
> > auditd (pid  4232) is running...
> >
> > ### grep -Hrn loginuid /etc/pam.d/:
> > /etc/pam.d/login:9:session    required     pam_loginuid.so
> > /etc/pam.d/sshd:9:session    required     pam_loginuid.so
> > /etc/pam.d/remote:9:session    required     pam_loginuid.so
> > /etc/pam.d/ssh-keycat:4:session    required     pam_loginuid.so
> >
> > -----
> >
> > MY QUESTION:
> > With the above listed configuration I still get audit.log entries with
> > auid=-1 including cron and anacron entries.
>
> Based on your rules, you are getting exactly what you programmed it to do.
>
>
> > EXAMPLE AUDIT.LOG SNIPPET:
> > type=USER_ACCT msg=audit(1447748821.214:1369): user pid=5863 uid=0
> > auid=4294967295 ses=4294967295
>
> <snip>
>
> > What am I missing or doing wrong? I also tried working with pam_tty_audit
> > and aureport --tty but that is too detailed as every keypress gets
> logged.
>
> Sudo will log every command run through it. Maybe that is closer? The
> execve
> approach will log everything, but it will also log all subscripts that are
> run
> as a result of what's entered on the command line. That would be:
>
> -a always,exit -F arch=b64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> -a always,exit -F arch=b32 -S execve -F auid>=500 -F auid!=-1 -F uid=0
>
> No other rules.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20151118/4d718d60/attachment.htm>

More information about the Linux-audit mailing list