httpd auid = -1
Todd Heberlein
todd_heberlein at mac.com
Thu Jul 30 18:47:05 UTC 2020
Thanks!
This has some interesting implications regarding attackers coming in through a vulnerability in an organization's web services. I’ll have to compare what relevant information I can capture in the audit logs vs. what is captured in web server logs.
Todd
> On Jul 30, 2020, at 11:29 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
>> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
>> with is running with an Audit ID of -1. Example ID values are:
>>
>> auid=4294967295
>> uid=48
>> gid=48
>> ...
>>
>> So if use the standard filter "-F auid!=-1” in the audit rules I do not see
>> httpd activity.
>>
>> Is this common?
>
> Yes, this is common. Most people are interested in the actions that people
> take on the machine rather than normal system functioning.
>
>> How do I change the auid to something else, so I can capture the httpd
>> activity in the audit log?
>
> A couple of ways.
> 1) remove the auid!=-1. That will get you all daemons.
> 2) Use audit by executable rules:
> -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec
>
> -Steve
>
>> Example audit line:
>>
>> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
>> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
>> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
>> exe="/usr/sbin/httpd" key=(null)
>
>
>
>
More information about the Linux-audit
mailing list