The format of password change audit events seems to have changed, Can you confirm the correct record type ?

warron.french warron.french at gmail.com
Fri Jul 9 12:06:13 UTC 2021 

Got it, thanks!
--------------------------
Warron French



On Thu, Jul 8, 2021 at 8:46 PM Richard Guy Briggs <rgb at redhat.com> wrote:

> On 2021-07-08 18:53, warron.french wrote:
> > This is an interesting topic.
> >
> > Please, can you tell me what audit rule you are using that generates such
> > records about root's (*or any other account's) password change?*
>
> This is a built-in to the userspace password management tools and not a
> kernel-triggered rule.
>
> You could duplicate the effort by monitoring /etc/shadow for writes if
> you are really paranoid about those tools being subverted.
>
> > Sincerely, thank you.
> > --------------------------
> > Warron French
> >
> > On Thu, Jul 8, 2021 at 3:27 PM Steve Grubb <sgrubb at redhat.com> wrote:
> > > On Thursday, July 8, 2021 2:19:54 PM EDT Wieprecht, Karen M. wrote:
> > > > I've noticed that the messages I'm searching  for in splunk to show
> root
> > > > password changes no longer seem to be in the same format.  Most of
> our
> > > > systems run RHEL7 release 7.9,  and I believe this is a recent change
> > > > (I've only noticed this problem in the past 3 months or so?), but we
> do
> > > > have an older 7.5 system, so  I was able to use that to compare
> against
> > > > the 7.5 to  identify what's changed.    I wanted to confirm which
> record
> > > I
> > > > should be using now since there are several that get generated now
> > > >
> > > > The key differences seem to be in the message generated and the
> keyname
> > > > being used for the account being targeted,  but I wanted to confirm
> that
> > > > there isn't some other record I should be looking at to verify that
> the
> > > > root password was changed in the required timeframe since I see
> several
> > > > records being generated from a password change, none of which include
> > > > anything as conclusive as the old message that showed the operation
> as a
> > > > "password change".   Here are some fo the fields I'm looking at:
> > > >
> > > > type=USER_CHAUTHOK
> > > > exe=/usr/bin/passwd
> > > > [acct targeted for the passwd change]:
> > > >             id=root          (old format)
> > > >             acct=root      (latest format)
> > > > msg
> > > >            msg='op=change password  (old format)
> > > >            msg='op=PAM:chauthok      (latest format)
> > > >
> > > > If you can  confirm whether this is the info I should be using now to
> > > > confirm password changes, that would be much appreciated.
> > >
> > > I don't have a RHEL 7.9 machine to compare against. I can set one up in
> > > about
> > > a week. On 7.6 the event looks like this:
> > >
> > > type=USER_CHAUTHTOK msg=audit(1625771196.574:162): pid=5113 uid=0
> > > auid=1000
> > > ses=1 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
> > > msg='op=change
> > > password id=1000 exe="/usr/bin/passwd" hostname=rhel7.3 addr=?
> > > terminal=pts/0
> > > res=success'
> > >
> > > The problem is that "op= change passwd" has a space in it and will not
> > > parse
> > > right. I have been trying to correct instances of this so that things
> > > parse
> > > correctly. Not everyone runs their changes by me for comment. So, its
> > > possible that the change was made to fix the space, but usually I
> suggest
> > > people add an underscore.
> > >
> > > I'll into it more next week.
> > >
> > > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210709/d9dff5dd/attachment.htm>

More information about the Linux-audit mailing list