Thanks! This has some interesting implications regarding attackers coming in through a vulnerability in an organization's web services. I’ll have to compare what relevant information I can capture in the audit logs vs. what is captured in web server logs.
Todd > On Jul 30, 2020, at 11:29 AM, Steve Grubb <[email protected]> wrote: > > On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote: >> I’ve noticed that the httpd process on a CentOS 7.7 system I am working >> with is running with an Audit ID of -1. Example ID values are: >> >> auid=4294967295 >> uid=48 >> gid=48 >> ... >> >> So if use the standard filter "-F auid!=-1” in the audit rules I do not see >> httpd activity. >> >> Is this common? > > Yes, this is common. Most people are interested in the actions that people > take on the machine rather than normal system functioning. > >> How do I change the auid to something else, so I can capture the httpd >> activity in the audit log? > > A couple of ways. > 1) remove the auid!=-1. That will get you all daemons. > 2) Use audit by executable rules: > -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec > > -Steve > >> Example audit line: >> >> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2 >> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1 >> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 >> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" >> exe="/usr/sbin/httpd" key=(null) > > > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
