>> It would be helpful to me to know what your use cases/requirements are.
I guess the main thing we want is to make the audit data easier to understand when we are reviewing it, and I'd rather not have to issue multiple ausearch commands per machine times n systems to get an overview of possible wrongdoing on the machine ... Certainly I can use those tools to investigate further if I see something suspicious. I'll have to see if I can find the script you mentioned online somewhere and see if it's close to what I want. If not, here's a feel for what we'd be interested in as a bare minimum, and certainly any improvements would be even better. Here is a sample of what I did with some test audit output on Solaris 10. The perl scripts that I have written for Irix, Solaris, and Mac OSX aren't super savvy, but they pull the data into a key value hash table so I can reformat it into a more english-like format (and I throw out stuff my site doesn't care about like file access failures that are caused by "file not found" rather than permission problems). Except for irix (where I shoot converted stuff to a central host via the syslog facility), my scripts also manage the audit data to keep it to a manageable size, move it to a central place where I can keep straight which data has or has not already been reviewed, and let me review audit logs on multiple machines all at once. I wrote these scripts for Solaris 8 before I knew about snare, then I ported them to mac OSX (again, snare wasn't available on that platform), and then ported them again to Solaris 10 before a snare version was available there. I use my scripts in conjuntion with snare on Irix to make the audit data easier to read. Here is a samplae of the converted solaris 10 output: ------------------------------------------------------------------- (invalid user) FAILED to telnet into oldpatton from oldzumwalt: No account present for user on 2005-09-28 15:41:29.608 -04:00 rick FAILED to ftp into oldpatton from oldzumwalt: bad password on 2005-09-28 15:42:00.448 -04:00 rick FAILED to ftp into oldpatton from oldzumwalt: misc failure on 2005-09-28 15:42:00.451 -04:00 root successful rlogin into oldpatton from oldzumwalt on 2005-09-28 15:42:06.297 -04:00 root logged out of oldpatton on 2005-09-28 15:42:15.065 -04:00 karen successful rlogin into oldpatton from oldzumwalt on 2005-09-28 15:42:25.127 -04:00 karen as root on oldpatton ran setaudit_addr(2) on 2005-09-28 15:42:30.905 -04:00 **** karen as root on oldpatton ran su root on 2005-09-28 15:42:30.908 -04:00 karen as root on oldpatton ran setaudit_addr(2) on 2005-09-28 15:42:35.190 -04:00 **** karen as root on oldpatton ran su rick on 2005-09-28 15:42:35.193 -04:00 karen as rick on oldpatton FAILED to modify time on /etc/shadow: Permission denied on 2005-09-28 15:42:40.262 -04:00 karen as rick on oldpatton FAILED to remove /etc/shadow: Permission denied on 2005-09-28 15:42:46.506 -04:00 karen as root on oldpatton FAILED to su thomas: bad username on 2005-09-28 15:44:05.870 -04:00 karen as root on oldpatton FAILED to su dan: bad auth. on 2005-09-28 15:44:15.811 -04:00 (invalid user) FAILED to ftp into oldpatton from oldpatton: bad password on 2005-09-28 15:45:03.703 -04:00 (invalid user) FAILED to ftp into oldpatton from oldpatton: misc failure on 2005-09-28 15:45:03.705 -04:00 rick FAILED to ftp into oldpatton from oldpatton: bad password on 2005-09-28 15:45:15.391 -04:00 rick FAILED to ftp into oldpatton from oldpatton: misc failure on 2005-09-28 15:45:15.394 -04:00 dan FAILED to telnet into oldpatton from oldpatton: Authentication failed on 2005-09-28 15:45:26.661 -04:00 karen on oldpatton FAILED to open /etc/security/policy.conf: Permission denied on 2005-09-28 15:45:38.063 -04:00 karen on oldpatton FAILED to rmdir /home/karen/.sunw/pkcs11_softtoken: File exists on 2005-09-28 15:45:38.112 -04:00 karen on oldpatton FAILED to open /dev/devices/pseudo/[EMAIL PROTECTED]:urandom: Permission denied on 2005-09-28 15:45:38.148 -04:00 (invalid user) FAILED to ssh into oldpatton from oldpatton: Authentication failed on 2005-09-28 15:45:48.094 -04:00 karen on oldpatton FAILED to mkdir /home/karen/.sunw/pkcs11_softtoken: File exists on 2005-09-28 15:46:07.587 -04:00 karen on oldpatton FAILED to open /dev/devices/pseudo/[EMAIL PROTECTED]:urandom: Permission denied on 2005-09-28 15:46:07.602 -04:00 (invalid user) FAILED to ssh into oldpatton from oldpatton: Authentication failed on 2005-09-28 15:46:13.153 -04:00 karen on oldpatton FAILED to modify time on /var/audit: Permission denied on 2005-09-28 15:46:22.179 -04:00 karen on oldpatton FAILED to modify time on /etc/shadow: Permission denied on 2005-09-28 15:46:29.514 -04:00 karen on oldpatton FAILED to open /etc/shadow: Permission denied on 2005-09-28 15:46:47.469 -04:00 karen on oldpatton FAILED to create /etc/shadow: Permission denied on 2005-09-28 15:47:10.423 -04:00 karen logged out of oldpatton on 2005-09-28 15:47:32.486 -04:00 ---------------------------------------------------------------- I realize that the tabs/spaces don't line up, but I sort the output, and even though the entries are no longer in chronological order, similar records are grouped, the sentences read like english instead of scrambled garbage, and it's pretty easy to visually scan through the data. Savvy programmers might do something better than this, but it's simple and it beats the pants of off looking at the raw Solaris audit data: ---------------------------------------------------------------- # << --- *snip* ---->> header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:42:35.191 -04:00,subject,karen,root,root,root,root,10377,3015119284,242 513 oldzumwalt,use of privilege,successful use of priv,sys_audit,return,success,0 header,94,2,su,,oldpatton,2005-09-28 15:42:35.193 -04:00,subject,karen,root,root,root,root,10377,3015119284,242 513 oldzumwalt,text,success for user rick,return,success,0 header,137,2,utimes(2),fe,oldpatton,2005-09-28 15:42:40.262 -04:00,path,/etc/shadow,attribute,100400,root,sys,32,50382,0,subject,kar en,rick,users,rick,users,10381,3015119284,242 513 oldzumwalt,use of privilege,failed use of priv,ALL,return,failure: Permission denied,-1 header,137,2,unlink(2),fe,oldpatton,2005-09-28 15:42:46.506 -04:00,path,/etc/shadow,attribute,100400,root,sys,32,50382,0,subject,kar en,rick,users,rick,users,10382,3015119284,242 513 oldzumwalt,use of privilege,failed use of priv,ALL,return,failure: Permission denied,-1 header,166,2,symlink(2),fe,oldpatton,2005-09-28 15:43:39.253 -04:00,path,/var/audit/fileshouldntbeallowedindirwhereuserhasnopermissio n,subject,karen,rick,users,rick,users,10383,3015119284,242 513 oldzumwalt,use of privilege,failed use of priv,file_dac_search,return,failure: Permission denied,-1 header,214,2,link(2),fe,oldpatton,2005-09-28 15:43:55.986 -04:00,path,/etc/passwd,attribute,100644,root,sys,32,50381,0,path,/var/a udit/fileshouldntbeallowedindirwhereuserhasnopermission,subject,karen,ri ck,users,rick,users,10384,3015119284,242 513 oldzumwalt,use of privilege,failed use of priv,file_dac_search,return,failure: Permission denied,-1 header,81,2,auditon(2) - get audit state,,oldpatton,2005-09-28 15:44:05.859 -04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513 oldzumwalt,return,success,0 header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:44:05.866 -04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513 oldzumwalt,use of privilege,successful use of priv,sys_audit,return,success,0 header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:44:05.866 -04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513 oldzumwalt,use of privilege,successful use of priv,sys_audit,return,success,0 header,95,2,getaudit_addr(2),,oldpatton,2005-09-28 15:44:05.868 -04:00,subject,karen,root,users,rick,users,10385,3015119284,242 513 oldzumwalt,use of privilege,successful use of priv,sys_audit,return,success,0 # << --- *snip* ---->> Thanks, Karen Wieprecht -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
