> On Wednesday 03 December 2008 09:57:48 Loredan Stancu wrote: >> >> 1. audisp-prelude plugin is not generating events when a user is >> logged >> >> in. >> > >> > Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN >> > Without that, you won't see anything. >> >> This is the problem that no USER_LOGIN appears in the log file. No >> events >> are generated when a user is logged in. > > You likely need to compile openssh with a "--with-linux-audit" option to > the > configure line. If your distribution does not have the openssh audit > patch, you > can find it here: > > http://cvs.fedora.redhat.com/viewvc/devel/openssh/openssh-4.7p1- > audit.patch?revision=1.1
Another question: Can auditd generate events when a user is logging in using ssh? That implies ssh use pam? I ask this because I want use audit in a production server and I'm not allowed to manually install packages. I am allowed to only use emerge to install packages. At this moment I do not have a USE flag(gentoo specific) corresponding to --with-linux-audit. @Steve :) : Can you help me please with audisp-remote? I'll explain again what I want to do: Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production. M3 is a centralized machine events. On M1 and M2 runs auditd and audisp-remote. audisp-remote sends events to M3. I know how to configure auditd and audisp-remote on M1 and M3. What I don't know is what should I do on M3 so that it can receive events from M1 and M2 and store this events in regular file. After this is clarified I'll see haw should I do to separate events based on the node machine(M1 and M2). > >> >> 2. audisp-prelude plugin is not sending uid, gid to a prelude-manager >> > >> > For which event? The loginuid is mostly what I concentrated on since >> that >> > tells you how they got into the machine. >> >> For any events. I am using prelude-manager and prewikka and I can't see >> any uid or gid of any events. > > I'll check what I'm collecting. But I'm sure that loginuid should be there > whenever its relevant. > > >> >> 3. No events are generate for watched files/exec/mk_exe if no tow -k >> >> options are specified in the rule. One of the -k options should >> contain >> >> '-k ids-type-severity' and another -k may contain anything. If you >> >> specify >> >> only one -k options no events are generated. >> > >> > You need 2 rules to cover this: >> > >> > auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F >> > filetype=file >> > -k ids-mkexe-hi >> > auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111' >> > -F filetype=file -k ids-mkexe-hi >> > >> > It works fine on my system. Also note that it depends on having a >> recent >> > kernel. >> >> On Gentoo linux I'm using kernel version 2.6.26-gentoo-r3 and on Debian >> system I'm using kernel version 2.6.26-1-686 >> In both kernels I have support for audit and inotify. > > And you are able to load and list the 2 rules I sent above? Can you find > the > results with ausearch --start today -k mkexe -m SYSCALL ? You might also > strace the app that's making executables that you are trying to catch to > make > sure you have a rule that will catch it. Yes, I could load that rules and this is what si loaded when a file gets eecution rights: type=SYSCALL msg=audit(1228324240.067:14): arch=40000003 syscall=306 success=yes exit=0 a0=ffffff9c a1=80550b8 a2=1ed a3=80550b8 items=1 ppid=7828 pid=16847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="chmod" exe="/bin/chmod" key="ids-mkexe-hi" type=CWD msg=audit(1228324240.067:14): cwd="/usr/local/audit" type=PATH msg=audit(1228324240.067:14): item=0 name="/home/darkone/testfile" inode=65247 dev=08:03 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 >> >> Another question is how I can use audisp-remote to send events >> somewhere >> >> remote? > > I think I answered this in the other email, but to be clear, the > audisp-remote > plugin wants to talk to a remove audit daemon. So the chain of custody for > an > event looks like: > > kernel->auditd->audispd->audisp-remote->auditd->file > > -Steve > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
