Use case not covered by the audit library?
Gulland, Scott A
scott.gulland at hpe.com
Wed Jan 6 20:27:31 UTC 2016
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb at redhat.com]
> Sent: Wednesday, January 06, 2016 12:06 PM
>
> > > euid would be a kernel originating field name. User space could lie
> > > about it. The kernel is the only thing that knows the truth.
> >
> > Unfortunately, that is not true for HTTP servers which run as root but
> > authenticates the true user issuing the REST request. The authentication
> > is done through PAM. The HTTP server then carries out the action on
> behalf
> > of that user. The kernel thinks it's a root user, but the HTTP server
> > knows otherwise. It sounds like there is no way for a trusted user app to
> > inject the correct uid into the audit event. Would you recommend I use
> > the "user" field instead of "euid" to indicate who is issuing the request?
> > > > Only the data field needs to encoded and ausearch does decode this
> > > >
> > > > field correctly. My message text would look like:
> > > > "op=<op text> data=<encoded data> euid=<uid>"
> > > >
> > > > When I was using ausearch I expected to be able to find events by
> > > > uid using either the "-ua" or "-ue" option that would match the
> > > > euid field's value,
> > >
> > > but no matching events were found. Is this expected behavior?
> > >
> > > What is the record type? ausearch is optimized to expect certain
> > > record types to have fields in a specific order.
> >
> > I am using the AUDIT_USYS_CONFIG event type as I would like to use
> > "aureport -c" to get a summary of the configuration changes to the switch.
> > As an alternative, I could use the AUDIT_TRUSTED_APP event type.
>
> The USYS_CONFIG event is like this:
>
> type=USYS_CONFIG msg=audit(1389095562.552:540): pid=2249 uid=0
> auid=4325 ses=1
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=change-system- time exe="/usr/sbin/hwclock" hostname=?
> addr=? terminal=pts/0 res=success'
>
>
> The kernel supplies all the pieces up to the msg= portion. After that is what
> you build. The only real field the event writer does is the op= field, The rest
> are supplied by libaudit. Ausearch does not parse the op= field.
>
> What I would suggest in a case like this is to create a small utility that
> generates the exact report that you want. The auparse library makes that
> super easy. I can dig up the skeleton code for something like this if you want.
Thanks Steve! I'd appreciate the skeleton code. At some point we'll probably
want to create a custom report capability. It sounds like ausearch really only
handles the fields written by the kernel.
Scott G.
More information about the Linux-audit
mailing list