[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.9.12 released

I don't seem to get the filtering on auid to work ...
I am attaching a test case so you can see how I am testing this ..
I am on kernel.65 and audit 0.9.12

Test strategy:
1- add filter rules for a user
2- add a watch on a file
3- create two temp users (my users have to be in Wheel trusted group in 4- order to ssh into the system .. may not apply to everybody).
5- spawn ssh session user1 localhost and touch the watched file
6- Remove the file(so other user can touch it again)
7- spawn ssh session user2 localhost and touch the watched file
8- stop auditd and copy the audit.log to a temp file (/tmp/loginuid_logs)

For Step 1 above, I tried the following scenarios:
	auditctl -a watch,always -F auid=uid1
	auditctl -a watch,never -F auid!=uid1
	auditctl -a watch,always -F auid=uid1
	auditctl -a watch,never -F auid=uid2

Neither seems to work .. in the log I still see watch records for open on the watched file generated by both users!!

- Loulwa

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/utsname.h>

int uid1=580;
int uid2=650;
char user1[] = "tmp-user1";
char user2[] = "tmp-user2";
char* password = "eal";
char* encryptedpassword = "42VmxaOByKwlA";
static const char* tempname = "/tmp/testXXXXXX\0";

int rc;
int fd1, fd2;                         /* file descriptor */
char script_cmd1[1000], script_cmd2[1000], exec_cmd[1000];
char *filename1, *filename2;

int main(int ac, char **av)
    char command[256];

    system("/etc/rc.d/init.d/auditd stop");
    system("rm -f /var/log/audit/audit.log");

    system("rm /tmp/loginuid_logs -f");

    system("/etc/rc.d/init.d/auditd start");

 /* Create expect script file to execute ftp session  */
    filename1 = (char *) malloc(strlen(tempname));
    strcpy(filename1, tempname);
    if ((fd1 = mkstemp(filename1)) == -1) {
		 printf("File creation error\n");
    filename2 = (char *) malloc(strlen(tempname));
    strcpy(filename2, tempname);
    if ((fd2 = mkstemp(filename2)) == -1) {
		 printf("File creation error\n");

/* create test users */
		 sprintf(command, "/usr/sbin/useradd -u %d -m -G wheel -p %s %s",uid1,encryptedpassword,user1);
		 sprintf(command, "/usr/sbin/useradd -u %d -m -G wheel -p %s %s",uid2,encryptedpassword,user2);

/* insert watches and filters on loginuid "uid1" */
		 system("auditctl -w /tmp/file1 -k loginuid-key");
		 sprintf(command, "auditctl -a watch,always -F auid=%d", uid1);
		 sprintf(command, "auditctl -a watch,never -F auid!=%d", uid1);
		 //sprintf(command, "auditctl -a watch,never -F auid=%d", uid2);

        sprintf(script_cmd1, "expect -c \"spawn /usr/bin/ssh %s localhost \nsleep 1 \nexpect -re \\\"password: \\\" \nsleep 1 \nsend \\\"%s\\r\\n\\\" \nsleep 1 \nexpect -re \\\"> \\\" \nsleep 1 \nsend \\\"touch /tmp/file1\\r\\n\\\" \nsleep 1 \nsend \\\"exit\\\" \nsend_user \\\"exit\\n\\\"\"", user1, password);

        sprintf(script_cmd2, "expect -c \"spawn /usr/bin/ssh %s localhost \nsleep 1 \nexpect -re \\\"password: \\\" \nsleep 1 \nsend \\\"%s\\r\\n\\\" \nsleep 1 \nexpect -re \\\"> \\\" \nsleep 1 \nsend \\\"touch /tmp/file1\\r\\n\\\" \nsleep 1 \nsend \\\"exit\\\" \nsend_user \\\"exit\\n\\\"\"", user2, password);

        write(fd1, script_cmd1, strlen(script_cmd1));
        fchmod(fd1, S_IRWXU | S_IRWXG | S_IRWXO);

        sprintf(exec_cmd, "/bin/sh -f %s", filename1);

		 system("rm -f /tmp/file1");


        write(fd2, script_cmd2, strlen(script_cmd2));
        fchmod(fd2, S_IRWXU | S_IRWXG | S_IRWXO);

        sprintf(exec_cmd, "/bin/sh -f %s", filename2);

        /* Stop auditd to prevent more log entries. */
    		 system("auditctl -W /tmp/file1");
        system("/etc/rc.d/init.d/auditd stop");

        system("cat /var/log/audit/audit.log >> /tmp/loginuid_logs");
		 system("rm -f /tmp/file1");

/* cleanup users and files */

    if (filename1 != NULL) {
    if (filename2 != NULL) {
    sprintf(command, "/usr/sbin/userdel -r %s", user1);

    sprintf(command, "/usr/sbin/userdel -r %s", user2);

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]