On Tuesday, December 17, 2019 12:16:14 PM EST MAUPERTUIS, PHILIPPE wrote: > > > What are the corresponding events in audit ? > > > > I don't think anyone has ever tried to map between syslog and audit. I > > also think that CIS maybe doesn't understand audit and how it works. For > > quite some time, there has been a requirement to log any key lifecycle > > in the audit logs. This means that the DH key exchange and the session > > keys get logged when they are created and when they are destroyed. Also, > > pam logs the session > > beginning and end. And sshd logs any keys that it accepts. So, I think > > the information is there if one wanted or needed to map between them. But > > it should be unnecessary. I'm not sure what CIS is looking for in syslog. > > Because if there is something important in syslog that is not in the > > audit logs, I'd like to know what it is. > > > > > My main concern is with the bold line which indicates how the public > > > key was granted > > > > That should also be in the audit logs. > > I find in the audit log which key has been accepted but not that it has > been accepted due to /usr/bin/sss_ssh_authorizedkeys (and not a local > authorized_keys file). In the USER_AUTH message I can see a field > grantors=auth-key but I don't know how to interpret it.
The grantors part comes from pam. It is used to describe what in the pam stack allowed the access. Sshd should use "pubkey_auth" somewhere in the event if it granted the access. > I had a look at > https://github.com/linux-audit/audit-documentation/blob/master/specs/field > s/field-dictionary.csv but grantor is not mentioned there I didn't other > fields as well : > From SOFTWARE_UPDATE the fields sw, sw_type, key_enforce are not listed. > The page > https://github.com/linux-audit/audit-documentation/blob/master/specs/messa > ges/message-dictionary.csv doesn't mention the type SOFTWARE_UPDATE Maybe I > am looking at the wrong place, Where should I look ? This has not been updated in a long time. The source code is where I go to find the truth about anything. :-) > > > Could you point me to a documentation showing which events a ssh login > > > would generate ? > > > > To my knowledge, there is no document that singles out what a sshd login > > should look like. There are documents that explain what the record type > > are. And you should be able to isolate them by ausearch -x sshd. > > What I missed was this ausearch -x sshd which gives me the events OK. Good. Glad that was helpful. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
