Use of System-config-users not capturing activity

FyveSyx · 12-15-2010, 08:56 AM

Hello Linux Community.

I have an auditing problem. I am required to be able to track user account modifications (creates, deletes, password changes, etc.) My team and I implemented auditd 1.7.17 and borrowed an existing rule set from /usr/share/doc/audit-1.7.17/nispom.rules. What we're seeing is that user account activity from the command line is retrievable by doing an 'aureport -m'. However, doing the same through the GUI, 'aureport -m' does not display the activity. So I have two questions:

1. Is there another location I should be looking to find the user creation activities when using the GUI?

2. Is there a way to make the activity using the GUI be captured in /var/log/audit/audit.log so 'aureport -m' can report it?

Someone suggested a PAM configuration change, but was not able to tell me what change to make.

Any help would be greatly appreciated.

FyveSyx

unSpawn · 12-15-2010, 02:53 PM

What does your audit.rules file contain right now? (Please don't leave anything out except comments and obfuscate any key that gives away your location or the regulations you need to adhere to.) What did you and your team try to catch these exceptions? Can you give an example of "user account modifications" you need track?

FyveSyx · 12-15-2010, 03:40 PM

Thank you for your reply.

The contents are as follows. I enclosed the section I think sets up tracking when a user gets created, deleted, changes their password, gets assigned a new group, etc.

Like I said, everything is fine as long as someone uses the command. Whatever is done in the GUI doesn't appear to be captured the same way.

Code:

##
## This file contains the a sample audit configuration intended to
## meet the NISPOM Chapter 8 rules.
##
## This file should be saved as /etc/audit/audit.rules.
##
## For audit 1.6.5 and higher
##

## Remove any existing rules
-D

## Increase buffer size to handle the increased number of messages.
## Feel free to increase this if the machine panic's
-b 8192

## Set failure mode to panic
-f 2

## Audit 1, 1(a) Enough information to determine the date and time of
## action (e.g., common network time), the system locale of the action,
## the system entity that initiated or completed the action, the resources
## involved, and the action involved.

## Things that could affect time
-a entry,always -F arch=b32 -S adjtimex -S clock_settime -S settimeofday -k time-change
-a entry,always -F arch=b64 -S adjtimex -S clock_settime -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change

## Things that could affect system locale
-a exit,always -F arch=b32 -S sethostname -k system-locale
-a exit,always -F arch=b64 -S sethostname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
## This is covered by patches to login, gdm, and openssh
## Might also want to watch these files if needing extra information
#-w /var/log/faillog -p wa -k logins
#-w /var/log/lastlog -p wa -k logins
#-w /var/log/btmp -p wa -k logins
#-w /var/run/utmp -p wa -k logins

## Audit 1, 1(c) Successful and unsuccessful accesses to
## security-relevant objects and directories, including
## creation, open, close, modification, and deletion.

## unsuccessful creation
-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation

## unsuccessful open - open and openat may be combined on support arches
-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b32 -S openat -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S openat -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S openat -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S openat -F exit=-EPERM -k open

## unsuccessful close
-a exit,always -F arch=b32 -S close -F exit=-EACCES -k close
-a exit,always -F arch=b64 -S close -F exit=-EACCES -k close

## unsuccessful modifications - renameat may be combined on supported arches
-a exit,always -F arch=b32 -S rename -S truncate -S ftruncate -F exit=-EACCES -k mods
-a exit,always -F arch=b64 -S rename -S truncate -S ftruncate -F exit=-EACCES -k mods
-a exit,always -F arch=b32 -S renameat -F exit=-EACCES -k mods
-a exit,always -F arch=b64 -S renameat -F exit=-EACCES -k mods
-a exit,always -F perm=a -F exit=-EACCES -k mods
-a exit,always -F perm=a -F exit=-EPERM -k mods

## unsuccessful deletion - unlinkat may be combined on supported arches
-a exit,always -F arch=b32 -S rmdir -S unlink -F exit=-EACCES -k delete 
-a exit,always -F arch=b64 -S rmdir -S unlink -F exit=-EACCES -k delete 
-a exit,always -F arch=b32 -S unlinkat -F exit=-EACCES -k delete
-a exit,always -F arch=b64 -S unlinkat -F exit=-EACCES -k delete
############################################################################
## Audit 1, 1(d) Changes in user authenticators.                           #                               
## Covered by patches to libpam, passwd, and shadow-utils                  #                                             
## Might also want to watch these files for changes                        #
-w /etc/group -p wa -k auth                                                #
-w /etc/passwd -p wa -k auth                                               #
-w /etc/gshadow -p wa -k auth                                              #
-w /etc/shadow -p wa -k auth                                               #
-w /etc/security/opasswd -p wa -k auth                                     #
############################################################################
## Audit 1, 1(e) The blocking or blacklisting of a user ID,
## terminal, or access port and the reason for the action.
## Covered by patches to pam_tally2 and pam_limits

## Audit 1, 1(f) Denial of access resulting from an excessive
## number of unsuccessful logon attempts.
## Covered by patches to pam_tally2

## Audit 1, 2 Audit Trail Protection. The contents of audit trails
## shall be protected against unauthorized access, modification,
## or deletion.
## This should be covered by file permissions, but we can watch it
## to see any activity
-w /var/log/audit/ -k audit-logs

## Not specifically required by NISPOM; but common sense items
## Optional - could indicate someone trying to do something bad or
## just debugging
#-a entry,always -F arch=b32 -S ptrace -k paranoid
#-a entry,always -F arch=b64 -S ptrace -k paranoid

## Optional - could be an attempt to bypass audit or simply legacy program
#-a exit,always -F arch=b32 -S personality -k paranoid
#-a exit,always -F arch=b64 -S personality -k paranoid

## Put your own watches after this point
# -w /your-file -p rwxa -k mykey

## Make the configuration immutable
#-e 2

unSpawn · 12-16-2010, 10:41 AM

My bad for not asking you what you and your team already tried (as in posting log excerpts)... Anyway. My target is Centos-5U5 with PAM, SELinux targeted policy and auditd enabled and I'll use the default KDE tool "kdepasswd" to change an unprivileged users password. Let's first focus on the groundwork the OS provides. Changing a password requires a userland binary ("/usrbin/passwd"). That binary needs to signal the kernel work needs to be done and as usual this involves system calls. A narrow-focused (leaving out lots) 'strace' (open, execute) of using the binary shows that:

Code:

open("/lib/libselinux.so.1", O_RDONLY)  = 3
open("/etc/pam.d/passwd", O_RDONLY|O_LARGEFILE) = 4
open("/etc/pam.d/system-auth", O_RDONLY|O_LARGEFILE) = 5
open("/dev/pts", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 4
open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 4
open("/etc/shadow", O_RDONLY)           = -1 EACCES (Permission denied)
open("/var/run/utmp", O_RDONLY|O_LARGEFILE) = 4
execve("/usr/bin/passwd", ["/usr/bin/passwd"], [/* 49 vars */]) = 0

PAM, SELinux and auditd libraries get loaded and configuration files read, a pseudo-terminal gets requested, utmp is checked, the binary executes itself (duh) and /etc/passwd and /etc/shadow are accessed. Ergo the open and execve syscalls are crucial in determining what happens.
* Note PAM provides its own independent logging.

Enter /usr/bin/kdepasswd. Before we use it have a look at this:

Code:

ldd /usr/bin/passwd|grep crypt
        libcrypt.so.1 => /lib/libcrypt.so.1
ldd /usr/bin/kdepasswd|grep crypt

From this you know kdepasswd can't change a password by itself. It has to execute passwd. Another hint is provided when you 'strings /usr/bin/kdepasswd | grep passwd':

Code:

Conversation with 'passwd' failed.
Could not find the program 'passwd'.

* In short here your target isn't whatever the Desktop Environment offers but the system utilities underneath.

Here is an excerpt from /var/log/audit/audit.log for user UID=501 changing his password with "/usr/bin/kdepasswd". Before I continue you should note I stripped out any "type=CWD cwd="/home/USER"" lines that get logged when the execve syscall rule gets triggered, any .qtrc.lock and .kstylerc.lock errors (SYSCALL success=no exit triggers for KDE base components like dcopserver, kdeinit, kded or kbuildsycoca in the unconfined_t context), any lines with a context of ld_so_t and any host, epoch, arch, args, id and other distractive or repetitive details. Note password changing here itself fails because the user auth files have "iu" file atributes.

Code:

type=SYSCALL syscall=EXECVE success=yes exit=0 items=2 ppid=6922 pid=6934 auid=501 uid=501 tty=pts3   ses=4 comm="passwd"    exe="/usr/bin/passwd" subj=user_u:system_r:unconfined_t:s0 key="BIN_logins"
type=EXECVE  argc=1 a0="/usr/bin/passwd"
type=PATH    item=0 name="/usr/bin/passwd" inode=714641 mode=0104755 ouid=0 ogid=0 obj=system_u:object_r:passwd_exec_t:s0
type=SYSCALL syscall=RENAME success=no exit=-1 items=4 ppid=6922 pid=6937 auid=501 uid=501 tty=pts3   ses=4 comm="passwd"  exe="/usr/bin/passwd" subj=user_u:system_r:unconfined_t:s0 key="CFG_logins"
type=PATH    item=2 name="/etc/nshadow" inode=65057 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=PATH    item=3 name="/etc/shadow"  inode=66209 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=USER_CHAUTHTOK user pid=6937 uid=501 auid=501 subj=user_u:system_r:unconfined_t:s0 msg='PAM: chauthtok acct="USER" : exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/3 res=failed)'
type=USER_CHAUTHTOK user pid=6937 uid=501 auid=501 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=501    exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/3 res=failed)'

Once kdepasswd is started a pseudo-terminal gets requested and the binary executes /usr/bin/passwd as expected:
type=SYSCALL syscall=EXECVE: this rule (key=BIN_logins) logs /usr/bin/passwd execution.
type=SYSCALL syscall=RENAME: this rule watches /etc/shadow (your key=auth).
type=USER_CHAUTHTOK: as stated before PAM conveniently provides its own independent logging.
* Also if you have a watch on wherever KDE expects its $TMP you will see temporary "/${TMP}/.kdepasswd.*" files.

From a log auditing point of view, even without explicit syscall=execve success=yes rules for kdepasswd or KDE components you can establish who does what because logging works per session (ses=4). 'ausearch -l -r --start today --session 4' should get you the whole session 4 for today and 'ausearch -l -r --start today --loginuid 501 --session 4 --comm passwd --success yes' for instance only what UID=501 did today in session 4 and related to the passwd binary. In conjunction with epoch time and all user identifiers getting logged you definitely would not have a hard time establishing who did what.

As for the audit.rules my rules match your enclosed section. I add failed syscalls:

Code:

-a exit,always -S chmod -S fchmod -S fchmodat -S chown -S chown32 -S fchown -S fchown32 -S fchownat -S lchown -S umask -S creat -S open -S openat -S truncate -S ftruncate -F success=0 -F exit=-EACCES -F auid!=0 -F auid!=4294967295 -k FAIL
-a exit,always -S chmod -S fchmod -S fchmodat -S chown -S chown32 -S fchown -S fchown32 -S fchownat -S lchown -S umask -S creat -S open -S openat -S truncate -S ftruncate -F success=0 -F exit=-EPERM  -F auid!=0 -F auid!=4294967295 -k FAIL

to watch for privilege violations which may get you more verbose and collateral logging. Depending on machine use this may enlarge log size quite a bit.
I configure key usage for three related purposes: syscalls (SYS_), configuration files (CFG_) and binaries (BIN_). So the "BIN_logins" key comprises of any passwd, group and ch.*-related binaries, for example:

Code:

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid!=0 -F auid!=4294967295 -k BIN_logins

and the "CFG_logins" key watches /etc/passwd and related user auth files. There are no related system calls else there would be a SYS_logins key as well. Grouping them like this makes it easier to (know what to) grep logs for. Anyway. That's about it. Syscalls and watches work. Let me know if it doesn't.