ausearch --text : missing information

Steve Grubb sgrubb at redhat.com
Mon Sep 18 21:45:46 UTC 2017 

On Monday, August 21, 2017 12:01:43 PM EDT Maupertuis Philippe wrote:
> Hi,
> I was toying with the audit pci configuration.
> I opened a root session with sudo in which I just typed C-r nss to retrieve
> the command "less /etc/nsswitch.conf" from the bash_history. The text
> format, as shown below,  doesn't handle correctly the tty_audit
> information. Is it a known limitation ?
> 
> Ausearch format text
> On yppcil51s.sys.meshcore.net at 10:23:34 21/08/17 fr18358, acting as root,
> successfully changed-identity-of /usr/bin/sudo using setresuid On
> yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as root,
> typed On yppcil51s.sys.meshcore.net at 10:24:08 21/08/17 fr18358, acting as
> root, did-unknown On yppcil51s.sys.meshcore.net at 10:24:14 21/08/17
> fr18358, acting as root, successfully ended-session /dev/pts/0

Yes, this was an omission. I checked in code that support TTY auditing today.

 
> Ausearch -I format raw
> ----
> node=yppcil51s.sys.meshcore.net type=PROCTITLE msg=audit(21/08/17
> 10:23:34.400:20501) : proctitle=sudo -i node=yppcil51s.sys.meshcore.net
> type=SYSCALL msg=audit(21/08/17 10:23:34.400:20501) : arch=x86_64
> syscall=setresuid success=yes exit=0 a0=root a1=root a2=root
> a3=0x7fab09de8300 items=0 ppid=20742 pid=20743 auid=fr18358 uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=pts0 ses=1287 comm=sudo exe=/usr/bin/sudo
> key=10.2.5.b-elevated-privs-session ----
> node=yppcil51s.sys.meshcore.net type=USER_TTY msg=audit(21/08/17
> 10:24:08.661:20503) : pid=20743 uid=root auid=fr18358 ses=1287 data="less
> /etc/nsswitch.conf" ----
> node=yppcil51s.sys.meshcore.net type=TTY msg=audit(21/08/17
> 10:24:08.661:20502) : tty pid=20743 uid=root auid=fr18358 ses=1287
> major=136 minor=0 comm=bash data=<^R>,"nss",<ret> ----
> node=yppcil51s.sys.meshcore.net type=USER_END msg=audit(21/08/17
> 10:24:14.479:20506) : pid=20742 uid=root auid=fr18358 ses=1287
> msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct=root
> exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/0 res=success'
> 
> ausearch format raw
> node=yppcil51s.sys.meshcore.net type=SYSCALL
> msg=audit(1503303814.394:20497): arch=c000003e syscall=117 success=yes
> exit=0 a0=0 a1=ffffffff a2=ffffffff a3=7fab09de8300 items=0 ppid=20717
> pid=20742 auid=3318358 uid=0 gid=20599 euid=0 suid=0 fsuid=0 egid=20599
> sgid=20599 fsgid=20599 tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo"
> key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid
> AUID="fr18358" UID="root" GID="nobody" EUID="root" SUID="root" FSUID="root"
> EGID="nobody" SGID="nobody" FSGID="nobody" node=yppcil51s.sys.meshcore.net
> type=PROCTITLE msg=audit(1503303814.394:20497): proctitle=7375646F002D69
> node=yppcil51s.sys.meshcore.net type=SYSCALL
> msg=audit(1503303814.400:20501): arch=c000003e syscall=117 success=yes
> exit=0 a0=0 a1=0 a2=0 a3=7fab09de8300 items=0 ppid=20742 pid=20743
> auid=3318358 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts0 ses=1287 comm="sudo" exe="/usr/bin/sudo"
> key="10.2.5.b-elevated-privs-session"ARCH=x86_64 SYSCALL=setresuid
> AUID="fr18358" UID="root" GID="root" EUID="root" SUID="root" FSUID="root"
> EGID="root" SGID="root" FSGID="root" node=yppcil51s.sys.meshcore.net
> type=PROCTITLE msg=audit(1503303814.400:20501): proctitle=7375646F002D69
> node=yppcil51s.sys.meshcore.net type=USER_TTY
> msg=audit(1503303848.661:20503): pid=20743 uid=0 auid=3318358 ses=1287
> data=6C657373202F6574632F6E737377697463682E636F6E66UID="root"
> AUID="fr18358"
> 
> Additionally, I noticed that ausearch -f /etc/nsswitch.conf doesn't return
> anything. It may be working as expected but I doubt it would be very usable
> to find out who fiddled with a file.

The -f option picks the file name out of PATH records. It has no way to know 
that anything being typed on a console happens to be a file name.

-Steve


> Has someone on the list successfully used the PCI rules in an actual PCI
> audit ?
> 
> Philippe
> 
> !!!*************************************************************************
> ************ "Ce message et les pi?ces jointes sont confidentiels et
> r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre
> prot?g? par le secret professionnel. Si vous recevez ce message par erreur,
> merci d'en avertir imm?diatement l'exp?diteur et de le d?truire.
> L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la
> responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de
> ce message. Bien que les meilleurs efforts soient faits pour maintenir
> cette transmission exempte de tout virus, l'exp?diteur ne donne aucune
> garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour
> tout dommage r?sultant d'un virus transmis.
> 
> This e-mail and the documents attached are confidential and intended solely
> for the addressee; it may also be privileged. If you receive this e-mail in
> error, please notify the sender immediately and destroy it. As its
> integrity cannot be secured on the Internet, the Worldline liability cannot
> be triggered for the message content. Although the sender endeavours to
> maintain a computer virus-free network, the sender does not warrant that
> this transmission is virus-free and will not be liable for any damages
> resulting from any virus transmitted.!!!"

More information about the Linux-audit mailing list