Why doesn't this rule block syscall records?

Wieprecht, Karen M. Karen.Wieprecht at jhuapl.edu
Fri Jul 13 13:03:51 UTC 2007 

While working on parsing the ausearch output on RHEL 4 update 4 and
RHEL4 update 5,  I've noticed that there are some records generated that
have auid of unset/unknown (depending on which version of
auditd/ausearch you are using) that you may not wish to blindly ignore.
For instance,  an ssh login goes through some pam checks,  and even
though the auid is unset/unknown,  you can still discern who was trying
to log in and which pam check failed from elsewhere in the record,
something you may or may not wish to see when reviewing your logs.  

I think I've seen similar things when users log in at the console, but
I'd have to double check.  

Another important place I see records with auid unset/unknown when an
already-logged-in user initiates an "su".  I've been able to determine
the actual auid and effective UID (who the person was trying to become
via  "su") from other things in the audit record,  but this is another
case where you may not want to simply ignore  records that have auid
unset/unknown.

Food for thought,

Karen Wieprecht 

-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Taylor_Tad at emc.com
Sent: Friday, July 13, 2007 8:19 AM
To: sgrubb at redhat.com; linux-audit at redhat.com
Subject: RE: Why doesn't this rule block syscall records?

  It's pretty much a stock RHEL 4.4 system.  
  	{marge.rtp.dg.com}_5: rpm -q kernel audit audit-libs
  	kernel-2.6.9-42.EL
  	audit-1.0.14-1.EL4
  	audit-libs-1.0.14-1.EL4
  	{marge.rtp.dg.com}_6:
  
  So, is the general idea behind the rules sound?  You should be able to
block audit records for unset auids?
  
  -----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Thursday, July 12, 2007 4:39 PM
To: linux-audit at redhat.com
Cc: Taylor, Tad
Subject: Re: Why doesn't this rule block syscall records?
  
  On Thursday 12 July 2007 01:22:35 pm Taylor_Tad at emc.com wrote:
  > I was trying out a syscall entry rule that I thought would block
audit
  > records from system services/daemons that haven't had their audit ID
  > (auid) set yet.
  
  Which kernel are you using? There was a signed/unsigned promotion and
  comparison bug fixed not too long ago.
  
  -Steve
  

--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list