LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-30-2011, 01:16 PM   #1
julienr78
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Rep: Reputation: 1
auditd never logs arguments when sending to remote server


I seem to be getting different results when sending my auditd logs off box.

This is what I see on the local box after doing ausearch -k "My Key":

time->Wed Nov 30 17:47:59 2011
node=192.168.91.147 type=PATH msg=audit(1322675279.923:2995): item=1 name=(null) inode=228906 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
node=192.168.91.147 type=PATH msg=audit(1322675279.923:2995): item=0 name="/bin/ls" inode=97994 dev=03:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
node=192.168.91.147 type=CWD msg=audit(1322675279.923:2995): cwd="/etc"
node=192.168.91.147 type=EXECVE msg=audit(1322675279.923:2995): argc=2 a0="ls" a1="-l"
node=192.168.91.147 type=SYSCALL msg=audit(1322675279.923:2995): arch=c000003e syscall=59 success=yes exit=0 a0=8c5e28 a1=8c8ec8 a2=8c1008 a3=0 items=2 ppid=30917 pid=31368 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=14 comm="ls" exe="/bin/ls" key="My Key"


and this is what I get on the remote server:

time->Wed Nov 30 17:47:59 2011
node=192.168.91.147 type=EXECVE msg=audit(1322675279.923:2995): argc=2 a0="ls"
node=192.168.91.147 type=SYSCALL msg=audit(1322675279.923:2995): arch=c000003e syscall=59 success=yes exit=0 a0=8c5e28 a1=8c8ec8 a2=8c1008 a3=0 items=2 ppid=30917 pid=31368 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=14 comm="ls" exe="/bin/ls" key="My Key"


As you can see.. I'm losing "a1=-l" and a bunch more information.

In the /var/log/audit/audit.log file on the server, I get a bunch of blank spaces after a0="ls", it would seem to me that would be the culprit but I don't know how to fix it.

I'm using audisp-remote to send the data across.

Client:
Debian Lenny with 1.7.4-1
Server:
CentOS 5.5 with 1.7.18-2.el5

Any ideas??
 
Old 11-30-2011, 02:37 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
Does /var/log/audit/audit.log on the client show all args correctly? If so then what is the audit version? Centos, which BTW is at release 5.7 now, has audit-1.7.18-2.el5 which logs args correctly. In the meanwhile, but only if /var/log/audit/audit.log on the client show all args correctly, a workaround could be to install Rsyslogd and have it read and send the log to the server. An example of having Rsyslogd read a file (real simple) is here: http://www.linuxquestions.org/questi...3/#post4495746
 
Old 11-30-2011, 03:02 PM   #3
julienr78
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Original Poster
Rep: Reputation: 1
The local audit.log is showing correctly. I just checked on Squeeze and everything logs correctly. My testing system was lenny, but the end system that I'm going to be using is Squeeze, so everything is working correctly. So 1.7.4 on the client side was the culprit.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
auditd/syslog help needed. Too many logs. trey85stang Linux - Security 1 03-25-2011 02:43 PM
Bfd logs to remote syslog-ng server Helptek Linux - Newbie 0 12-08-2009 09:18 AM
Sending 3rd party logs to remote syslog server OlRoy Linux - Server 3 12-24-2008 07:06 PM
Sending mail using a remote server czamora Linux - Software 5 04-13-2007 07:19 AM


All times are GMT -5. The time now is 03:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration