k?
Thanks in advance for any advice,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8)
https://github.com/linux-audit/audit-documentation
...
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On 10/16/2018 04:07 PM, Lenny Bruzenak wrote:
> Situation:
>
> Have 3 VMs all running RHEL7.6 (3.10.0-933.el7.x86_64) with audit
> components 2.8.4, including audisp-plugins. Using the audisp-remote
> plugin,
>
> Machine A -> B
>
> Machine B -> C
>
> Problem
intenance branch of the audit package. All of
> the fixes included here are cherry picked fixes from the audit-3.0
> development
> branch. This might be the last release for the 2.8 code base. We'll just have
> to see.
Wow; this is a lot of fixes. Thanks Steve (and bug fixers)!
g it is because until the user data has been successfully
entered, there is no translation. Perhaps the event submission should
wait until that happens?
I may be able to dig out the name from other related generated events,
but that is kind of a pain.
audit-2.8.5, RHEL 7.6
Thx,
LCB
--
Lenny
On 5/17/19 7:44 AM, Steve Grubb wrote:
> On Thursday, May 16, 2019 7:00:38 PM EDT Lenny Bruzenak wrote:
>> If I add a new user with the "useradd" utility, it submits a ADD_USER
>> event, but the event itself has no interpretation for the new UID.
> What exactly was
ars. It
> should be calling faillock. I'll chat with upstream maintainers.
>
> -Steve
Thank you Steve, much appreciated! If they are able to provide a patch,
would you mind asking them to send me a link and I'll test it ASAP?
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
AUDIT_NO_ID,
> SHADOW_AUDIT_SUCCESS);
> #endif
> /*
I tested this and it looks good. Thanks Steve, I really appreciate the help.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
t; -Steve
Also should it not be the "#define AUDIT_INTERP_SEPARATOR 0x1D" for
enriched format records?
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
typo; I've put it into the grub config and
run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from that.
Again, the parameter is there in /proc/cmdline but doesn't seem to be
accepted. No warnings about it either AFAICT.
RHEL7.6, kernel 3.10.0-957
Don't think the audit userspace
at's obviously a hurdle for most.
It would definitely have been useful, some might say even necessary,
given the audit event startup noise occurring with systemd.
Wow. Thanks Richard, I appreciate the answer on this.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing l
On 7/30/19 3:36 PM, Richard Guy Briggs wrote:
> On 2019-07-30 15:06, Lenny Bruzenak wrote:
>> On 7/29/19 4:32 PM, Richard Guy Briggs wrote:
>>> It is being ignored because that kernel command line extension to the
>>> original feature was never backported to RHEL7.
>
o
me it seems that implies storage.
If that's true, I would want to be able to disable it as I do not want
audit events stored elsewhere as well.
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
re as well.
> It is true. You get 2 copies, one in the journal and it also relays one to
> rsyslog. This should fix it:
>
> systemctl mask systemd-journald-audit.socket
>
> -Steve
Gotcha; thanks Steve.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@red
it is there, sure, why not? Then, if all calls either to
non-existent or say access-denied paths looked the same, then that would
be fine I think. I would not be as happy if one could sniff out
inaccessible directories (as opposed to non-existent) from audited
events though.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On 2/5/20 4:27 PM, Orion Poplawski wrote:
I would like to track file modifications made by a specific UID. I have:
-a exit,never -F dir=/proc/
-a exit,never -F dir=/var/cache/
-a exit,never -F path=/etc/passwd -F exe=/usr/bin/kdeinit4
-a exit,never -F exe=/usr/libexec/gam_server
-a always,exit
On 2/6/20 11:12 AM, Orion Poplawski wrote:
Doesn't seem much better:
type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) : proctitle=/bin/bash
/usr/bin/thunderbird
type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0
On 2/6/20 11:33 AM, Lenny Bruzenak wrote:
On 2/6/20 11:12 AM, Orion Poplawski wrote:
Doesn't seem much better:
type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) :
proctitle=/bin/bash
/usr/bin/thunderbird
type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
sy
monset code be taken through Common Criteria evaluation?
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
On 4/16/20 6:06 AM, Lennart Poettering wrote:
I'm regretting having developped this feature due to the problems it has
caused the audit developpers and innocent bystanders. Instead, an audit
daemon plugin should have been used to direct log records to
journald.
I am sorry, but this doesn't w
On 4/20/20 5:29 PM, Paul Moore wrote:
On Mon, Apr 20, 2020 at 5:56 PM Richard Guy Briggs wrote:
On 2020-04-20 17:36, Paul Moore wrote:
Commit 756125289285 ("audit: always check the netlink payload length
in audit_receive_msg()") fixed a number of missing message length
checks, but forgot to c
on the fly with that.
But again for me the strength of locking the rules into place is pretty
big. I can only imagine what an informed pen test crew would do with
dynamic rule manipulation.
Thanks Steve!
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https:/
. Can you
provide a little more detail (e.g. parameters)?
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
events at the
process level, not the thread level. After all, there isn't really
much in the way of significant boundaries between threads.
That's right, Paul. The process (exe/comm) is the discriminator from a
security perspective.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audi
On 11/20/20 1:43 PM, L. A. Walsh wrote:
> Repost from right address.
> On 2020/10/08 08:33, Lenny Bruzenak wrote:
>
>> On 10/7/20 7:27 PM, Paul Moore wrote:
>>
>>
>>> Almost everywhere in the kernel we record the TGID for the "pid="
>>> v
assessment; this is an area I'm always looking at. I've got questions
I'll post separately as they are not germane to this thread.
As an interested user I'm hoping for a resolution on this, so that the
userspace release can happen, as this seems to be a beneficial ch
i-record events would have fit.
I guess that depends on the buffer size.
Appreciate the help in advance; thanks.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
may need to be
increased for more recent kernels since there are more events caught and
some events have more records.
Appreciate the help in advance; thanks.
I hope this helps.
Yes, it does help. Thanks Richard!
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@r
d it's likely using a
"silent" default...but here I realize was not the focus of your effort.
Just musing.
I applaud your efforts in this area, and if you are able to share any
practices about handling the backlogs I'd appreciate seeing that.
V/R,
LCB
--
Lenny Bruzenak
M
n.
Looking at the records which appear to be delayed (in OP), I see that
they are PATH (w/PROCTITLE). Just curious, is the path involved part of
a networked FS, or something like a VM shared directory?
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
ir-syscall-event-and-file-path/266015/3>
I tested this on a 3.10.0 kernel with userspace 2.8.5 and it works as
advertised.
The "proctitle" event in my search was the first one and I used the "-i"
interpret flag. I could decode the raw ascii above but I suspect it
would say "rmdir /sasdata/testdir/", since "72" is "r", "6D" is "m" and
"2F", the last char, is "/" .
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
the
backlog count doesn't increase and I can't see where the events may have
been delivered.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
-m "Event $CNT"
> let CNT=$CNT-1
> done
# ausearch -i -ts recent --checkpoint /tmp/check --just-one -m user
< Returns event 10 >
but
# ausearch -i --checkpoint /tmp/check --just-one -m user
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linu
ows how to group events
> and hides all additional complexity. You can either use it to parse the log
> directly or to get the events from the realtime interface.
>
> -Steve
>
See :
http://security-plus-data-science.blogspot.com/2017/06/using-auparse-in-python.html
Sounds like yo
ere is no code with
exactly 3 dashes in the audit user space or kernel.
I see "subj==" which I do not think is correct. Are you certain the
event was not manipulated after the fact?
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
aving audit
rules with a non-existent value in the field specifiers that deal
with subject or object values.
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On 6/7/22 09:14, Paul Moore wrote:
On Tue, Jun 7, 2022 at 11:02 AM Steve Grubb wrote:
On Tuesday, June 7, 2022 9:42:06 AM EDT Paul Moore wrote:
On Mon, Jun 6, 2022 at 7:10 PM Lenny Bruzenak wrote:
I've been told that it is not a potential security problem, and not
subject to change i
in ways probably not suitable for general use.
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
est code it still is!).
This may be true, doubtful it is the intent.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
re macros exist to accommodate that and you would
be more familiar with those than me.
HTH,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
On 11/22/2016 08:55 AM, Stephen Smalley wrote:
>OK. We can move the point where res=1 is set. But I would think that its a
>requirement to have an audit record that states that policy failed to load.
>FMT_MSA.3 Static Attribute Initialization. Auditable events: All modifications
>of the initial
sion of audit, using the
"distribute_network" setting. I've been unable to play with that yet though.
HTH,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
y occur at spaced times, trying to patch those together on the
analysis side is problematic too (which I know you well understand). So
- your effort to keep these these records tied to one event is very much
appreciated!
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
y record gets only logged on *modifying*
>> operations, which should not be that frequent, and thus it shouldn't
>> be a problem to output a bit of potentially useful information.
> We're after just security information.
+1. Sometimes more isn't merrier.
:-)
LC
your audit logs.
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
me idea what is happening (if
you care).
Then your "my-rename" program subject type of my_rename_t can be used as
an exclude on the rule. Of course, the caller must then know to use this
rather than the standard utilities.
HTH,
LCB
--
Lenny Bruzenak
MagitekLTD
--
Linux-audit mailin
then
know to use this rather than the standard utilities.
This sounds useful and might solve our problem, will it be possible to
share some examples on how this can be achieved?
Replying off-list as it is not specifically audit-focused. See Paul, I
CAN learn. 😁
LCB
--
Lenny Bruzenak
47 matches
Mail list logo