Bug 483086 - RFE: fix tty audit reporting
Summary: RFE: fix tty audit reporting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit
Version: 5.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks: 497518
TreeView+ depends on / blocked
 
Reported: 2009-01-29 17:14 UTC by Rob Marti
Modified: 2018-10-20 01:50 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 484648 (view as bug list)
Environment:
Last Closed: 2009-09-02 09:50:05 UTC
Target Upstream Version:


Attachments (Terms of Use)
Decode the hexadecimal representation used in audit logs (388 bytes, text/plain)
2009-02-10 13:15 UTC, Miloslav Trmač
no flags Details
Audit output (1.75 KB, text/x-python)
2009-02-10 21:24 UTC, Adam Miller
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2009:1303 0 normal SHIPPED_LIVE audit enhancement update 2009-09-01 10:07:01 UTC

Description Rob Marti 2009-01-29 17:14:51 UTC
Description of problem:
Ref.235021 - If the only way to enable the auditing is to maintain a separate package can we get a bash-audit package built at RH instead of trying to maintain one on our own?

Version-Release number of selected component (if applicable):
bash-3.2-24.el5

Comment 1 Jim Perrin 2009-01-30 02:46:25 UTC
This feature would very much be useful to us. I'd like to see this package included or added as well.

Comment 2 Tom Sorensen 2009-01-30 03:16:29 UTC
Useful here too; unclear why the feature was added without making it available without a custom rebuild.

Comment 3 Roman Rakus 2009-02-09 09:28:31 UTC
Yep. It's good idea. It will be in Fedora 11 and then in RHEL6.

Comment 4 Roman Rakus 2009-02-09 13:09:14 UTC
At second look the bash auditing is (should be) enabled.
Try this:
- append to /etc/pam.d/system-auth:
        session required pam_tty_audit.so disable=* enable=root

  - as root => chars entered in audit.log
  - as non-root: no chars entered

If this is ok, I think there's no need to separate packages with and without enabled auditing.

Comment 5 Jim Perrin 2009-02-09 17:40:46 UTC
This seems like it logs just fine to /var/log/audit/audit.log, however I'm a bit unsure of how to extract the audited information from the audit log with aureport. Is there an option to pass for bash audit reporting?

Comment 6 Rob Marti 2009-02-10 04:38:41 UTC
I added the line to /etc/pam.d/system-auth, and I get the following:

[root@ss-5-89 ~]# vim /etc/sysconfig/iptables
[root@ss-5-89 ~]# tail -5 /var/log/audit/audit.log
type=TTY msg=audit(1234239611.005:2317): tty pid=15771 uid=0 auid=500 major=136 minor=21 comm="bash" data=636174202F6574632F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F76696D202F6574632F737973636F6E7F66097F6E6609697074090D
type=USER_TTY msg=audit(1234239611.005:2318): user pid=15771 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg=76696D202F6574632F737973636F6E6669672F69707461626C6573
type=TTY msg=audit(1234239613.702:2319): tty pid=15836 uid=0 auid=500 major=136 minor=21 comm="vim" data=1B5B3E303B3133363B30633A71210D
type=TTY msg=audit(1234239632.197:2320): tty pid=15771 uid=0 auid=500 major=136 minor=21 comm="bash" data=7461696C202F7661722F6C6F672F617564096175091B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B4F441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B441B5B442D35200D
type=USER_TTY msg=audit(1234239632.197:2321): user pid=15771 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg=7461696C202D35202F7661722F6C6F672F61756469742F61756469742E6C6F67
[root@ss-5-89 ~]#

So I can see what pid launched vim, and use that to track what user ran it... but I have no idea what file was edited.

Is this what the patch provided in 235021 enables?  For some reason I thought it was going to be a lot more for PCI compliance.  If this is it though, I'll go ahead and close the RFE.

Comment 7 Miloslav Trmač 2009-02-10 13:15:53 UTC
Created attachment 331422 [details]
Decode the hexadecimal representation used in audit logs

The quoted log contains specific information in the 'data' and 'msg' fields, I'm afraid the audit tools in RHEL5.3 do not support extraction of the information yet.

The output of (ausearch -i) on the above input data will return something like:

type=TTY msg=audit(10.2.2009 05:20:11.005:2317) : tty pid=15771 uid=root auid=mitr major=136 minor=21 comm=bash data="cat /etc/",<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,<backspace>,"vim /etc/syscon",<backspace>,"f",<tab>,<backspace>,"nf",<tab>,"ipt",<tab>,<ret>
type=USER_TTY msg=audit(10.2.2009 05:20:11.005:2318) : user pid=15771 uid=root auid=mitr subj=user_u:system_r:unconfined_t:s0 msg="vim /etc/sysconfig/iptables"
type=TTY msg=audit(10.2.2009 05:20:13.702:2319) : tty pid=15836 uid=root auid=mitr major=136 minor=21 comm=vim data=,<esc>,"[>0;136;0c:q!",<ret>
type=TTY msg=audit(10.2.2009 05:20:32.197:2320) : tty pid=15771 uid=root auid=mitr major=136 minor=21 comm=bash data="tail /var/log/aud",<tab>,"au",<tab>,<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<esc>,"OD",<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,<left>,"-5 ",<ret>
type=TTY msg=audit(10.2.2009 05:20:13.702:2319) : tty pid=15836 uid=root auid=mitr major=136 minor=21 comm=vim data=,<esc>,"[>0;136;0c:q!",<ret>
type=USER_TTY msg=audit(10.2.2009 05:20:32.197:2321) : user pid=15771 uid=root auid=mitr subj=user_u:system_r:unconfined_t:s0 msg="tail -5 /var/log/audit/audit.log"


For now, you can use the e.g. attached Python script to decode the "msg=" and "data=" fields.

Comment 8 Steve Grubb 2009-02-10 17:30:27 UTC
In reply to comment #5, just run aureport --tty.

Comment 9 Adam Miller 2009-02-10 21:24:58 UTC
Created attachment 331472 [details]
Audit output

I work with Rob and I took the code previously posted and just kind of added a bit to it. What I am doing is just taking in the output from 'tail -f /var/log/audit/audit.log' and piping it to my script. Right now it just spits out to the terminal but I make a comment where to make the change to write to the file.

Just figured I would post in case anyone would be able to use the code.

Comment 10 Jim Perrin 2009-02-11 13:40:21 UTC
(In reply to comment #8)
> In reply to comment #5, just run aureport --tty.

This machine is a fully patched RHEL 5 update3 box, however aureport --tty isn't a valid option. Running it generates an error and usage statement. see paste below:

[root@ibmlt ~]# aureport --tty
--tty is an unsupported option
usage: aureport [options]


This is followed by the various options, but --tty is not listed, nor is anything which could be similar. 

Ideas?

Comment 11 Steve Grubb 2009-02-11 14:04:02 UTC
ok, I see. There was talk above about Fedora and I thought this was a Fedora bug. Since its RHEL, you are right, you cannot run that command yet. Its scheduled for the 5.4 update.

Looking back over this bug, I am trying to figure out the next steps. It looks like people didn't know that auditing was enabled via pam. That was configured and now you have auditing of bash prompt. The next problem is that displaying the results is problematic. That would not be a bash bug.

Is this bug closable or should it be redirected to the audit package or another bug opened?

Comment 12 Jim Perrin 2009-02-11 14:29:15 UTC
I'm fine with it being reassigned to the audit package.

As a side note, do people want details for each and every keypress, or just a record of what command was actually run?

In my situation and looking at the output above, I don't care if people used tab complete to find a file to edit with vim, I just care that they ran vim against the file.

Comment 13 Steve Grubb 2009-02-11 14:48:22 UTC
Yes, people do want all keys pressed. Sometimes you run a ncurses app that does things as admin and the security officer may want to know exactly what they did. OK, I can transfer this to the audit package, but what should the title be?

Comment 16 Steve Grubb 2009-04-22 21:27:41 UTC
audit-1.7.13-1 was built to solve this problem in RHEL5.4

Comment 17 Jim Perrin 2009-04-23 01:15:45 UTC
Excellent. This is the one currently listed at people.redhat.com I assume? I'll give it a build tomorrow morning and test it out.

Comment 24 errata-xmlrpc 2009-09-02 09:50:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1303.html


Note You need to log in before you can comment on or make changes to this bug.