ausearch --text : missing information

Maupertuis Philippe philippe.maupertuis at equensworldline.com
Mon Aug 21 16:01:43 UTC 2017 

Hi,
I was toying with the audit pci configuration.
I opened a root session with sudo in which I just typed C-r nss to retrieve the command "less /etc/nsswitch.conf" from the bash_history.
The text format, as shown below,  doesn't handle correctly the tty_audit information.
Is it a known limitation ?



Ausearch format text
On yppcil51s.sys.meshcore.net at 10:23:34 21/08/17 fr18358, acting as root, successfully changed-identity-of /usr/bin/sudo using setresuid
On yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as root, typed
On yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as root, did-unknown
On yppcil51s.sys.meshcore.net at 10:24:14 21/08/17 fr18358, acting as root, successfully ended-session /dev/pts/0

Ausearch -I format raw
----
node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(21/08/17 10:23:34.400:20501) : proctitle=sudo -i
node=yppcil51s.sys.meshcore.net type=SYSCALL msg=audit(21/08/17 10:23:34.400:20501) : arch=x86_64 syscall=setresuid success=yes exit=0 a0=root a1=root a2=root a3=0x7fab09de8300 items=0 ppid=20742 pid=20743 auid=fr18358 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1287 comm=sudo exe=/usr/bin/sudo key=10.2.5.b-elevated-privs-session
----
node=yppcil51s.sys.meshcore.net type=USER_TTY msg=audit(21/08/17 10:24:08.661:20503) : pid=20743 uid=root auid=fr18358 ses=1287 data="less /etc/nsswitch.conf"
----
node=yppcil51s.sys.meshcore.net type=TTY msg=audit(21/08/17 10:24:08.661:20502) : tty pid=20743 uid=root auid=fr18358 ses=1287 major=136 minor=0 comm=bash data=<^R>,"nss",<ret>
----
node=yppcil51s.sys.meshcore.net type=USER_END msg=audit(21/08/17 10:24:14.479:20506) : pid=20742 uid=root auid=fr18358 ses=1287 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct=root exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/0 res=success'

ausearch format raw
node=yppcil51s.sys.meshcore.net type=SYSCALL msg=audit(1503303814.394:20497): arch=c000003e syscall=117 success=yes exit=0 a0=0 a1=ffffffff a2=ffffffff a3=7fab09de8300 items=0 ppid=20717 pid=20742 auid=3318358 uid=0 gid=20599 euid=0 suid=0 fsuid=0 egid=20599 sgid=20599 fsgid=20599 tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo" key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid AUID="fr18358" UID="root" GID="nobody" EUID="root" SUID="root" FSUID="root" EGID="nobody" SGID="nobody" FSGID="nobody"
node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(1503303814.394:20497): proctitle=7375646F002D69
node=yppcil51s.sys.meshcore.net type=SYSCALL msg=audit(1503303814.400:20501): arch=c000003e syscall=117 success=yes exit=0 a0=0 a1=0 a2=0 a3=7fab09de8300 items=0 ppid=20742 pid=20743 auid=3318358 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo" key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid AUID="fr18358" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(1503303814.400:20501): proctitle=7375646F002D69
node=yppcil51s.sys.meshcore.net type=USER_TTY msg=audit(1503303848.661:20503): pid=20743 uid=0 auid=3318358 ses=1287 data=6C657373202F6574632F6E737377697463682E636F6E66UID="root" AUID="fr18358"

Additionally, I noticed that ausearch -f /etc/nsswitch.conf doesn't return anything.
It may be working as expected but I doubt it would be very usable to find out who fiddled with a file.

Has someone on the list successfully used the PCI rules in an actual PCI audit ?

Philippe

!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170821/1bd37530/attachment.htm>

More information about the Linux-audit mailing list