On Saturday 18 August 2007 13:04:21 Henning, Arthur C. (CSL) wrote: > 1. su - "non_existent_account". Using the nispom.rules provided by > audit 1.5.6-1. Using various ausearch parameters, am unable to find a > corresponding failure when attempting to "su" to a non-existent > account.
[root ~]# ssh -l badacct localhost [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey,gssapi-with-mic,password). [root ~]# aureport --start today --login --failed Login Report ============================================ # date time auid host term exe success event ============================================ 1. 08/21/2007 09:27:26 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 264 2. 08/21/2007 09:27:32 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 266 3. 08/21/2007 09:27:36 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 268 4. 08/21/2007 09:27:39 acct=badacc 127.0.0.1 sshd /usr/sbin/sshd no 270 [root ~]# ausearch --start today -a 264 -i ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' [root ~]# ausearch --start today -i -m USER_LOGIN -sv no ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:26.325:264) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:32.609:266) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:36.584:268) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' ---- type=USER_LOGIN msg=audit(08/21/2007 09:27:39.443:270) : user pid=5909 uid=root auid=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct=badacct: exe=/usr/sbin/sshd (hostname=?, addr=127.0.0.1, terminal=sshd res=failed)' > 2. Non-privileged user attempting to change the date/time on the > server. Of course the user fails to be able to do so, but am unable to > capture or review the event. This depends a lot on the arch. You could put execute watches on the apps you expect someone to use: -w /bin/date -p x -k time-change But i also just noticed on x86_64, there is also a clock_settime syscall. I found this by stracing the date program and tracking down a permission denied message. So, on x86_64, add this: -a entry,always -S clock_settime -k time-change And it now shows this: [sgrubb src]$ date 08200930date: cannot set date: Operation not permitted Mon Aug 20 09:30:00 EDT 2007 [root ~]# ausearch --start recent -sv no -i type=SYSCALL msg=audit(08/21/2007 09:50:01.827:357) : arch=x86_64 syscall=clock_settime success=no exit=-1(Operation not permitted) a0=0 a1=7fffc184bd70 a2=7fffc184bd70 a3=6b items=0 ppid=6092 pid=6369 auid=sgrubb uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts1 comm=date exe=/bin/date subj=user_u:system_r:unconfined_t:s0 key="time-change" Hope this helps... -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
