auditd audit.log not display date or user

mccartjd · 05-21-2008, 11:29 AM

My usernames and dates for events generated by auditd into the audit.log file look weired. I can not make out the date and user who provoked the event. All the other logs look good. Any clue how to fix?

John

unSpawn · 05-21-2008, 05:46 PM

Timestamp has standard UNIX epoch time stamp format. "Users" are of the .*UID variety. From now on* make it your default to be specific in your questions. Saying "weird" is NOT an objective description. And also make it a habit to voluntarily provide *exact* details, configs, log excerpts and whatnot to support your questions.

mccartjd · 05-27-2008, 10:47 AM

Below is a sample of what my auditd logs look like. Is there a way to make the output of the logs more transparent to the vieweer; in other words the user action, dates and times are more consisitent with the other logs (SYSTEM for example) where it is apparent without a great deal of diffiuctly to determine who did what and when.

type=PATH msg=audit(1211897052.289:243529): name="/usr/share/icons/hicolor/48x48/actions" flags=103 inode=8094776 dev=08:05 mode=040755 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1211897052.290:243530): arch=c000003e syscall=2 success=yes exit=19 a0=7b5700 a1=10800 a2=2 a3=61 items=1 pid=8010 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="gedit" exe="/usr/bin/gedit"

Below is a SYSTEM LOG which the date/time/user and action are apparent.

May 27 10:16:39 localhost gdm(pam_unix)[5010]: session closed for user smithers

Thanks
John

unSpawn · 05-27-2008, 01:19 PM

Timestamp is epoch and users are .*UID, so resolving shouldn't be that hard. Here's an example:

Code:

#!/bin/sh --
HEADER="/lib/modules/$(uname -r)/build/include/asm-i386/unistd.h"
function resEpoch() { /bin/date --date "$(eval echo $[$(date +%s)-$1]) seconds ago" 2>/dev/null; }
function resSyscall() { SYSCALL=$(grep "^#define.__NR.*[[:blank:]]${1}$" "$HEADER" 2>/dev/null)
 [ ${#SYSCALL} -eq 0 ] && echo ENOFILE || { SYSCALL=(${SYSCALL/*_}); echo "${SYSCALL[0]}"; }; }
function resUid() { getent passwd "$1"|awk -F':' '{print $1}'; }
tac /var/log/audit/audit.log | grep -m 30 "^type=SYSCALL.*success=no" | tac | while read LINE; do
 LINE=(${LINE}); RES_EPOCH=${LINE[1]/*\(}; RES_EPOCH=${RES_EPOCH%.*} 
 PRN_EPOCH=$(resEpoch $RES_EPOCH); PRN_SYSCALL=$(resSyscall ${LINE[3]/*=})
 RES_UID=${LINE[14]/*=}; PRN_UID=$(resUid $RES_UID); PRN_BIN=${LINE[24]//*=/}
 PRN_SUCCESS=${LINE[4]/*=}; unset LINE[0] LINE[1]; LINE=(${LINE[*]})
 echo "${PRN_EPOCH} ${PRN_SYSCALL} ${PRN_SUCCESS} $PRN_UID ${PRN_BIN} ${LINE[$[${#LINE[@]}-1]]:4}"
done; exit 0

If you change anything I'd appreciate it if you reciprocate and post your diffs here.

mccartjd · 05-27-2008, 05:30 PM

unSpawn,

Did you want me to copy and paste the above into a file and if so what do I do with it? I'm not a programmer so please forgive me.

Thanks
John

unSpawn · 05-27-2008, 06:52 PM

It's a simple Bash shell script you can run.

abefroman · 06-11-2008, 03:47 PM

When I run that I don't get any output. By looking at the code, it should be reading the log in reverse order and then echo'ing it to the screen.

Any ideas?

root@test [~]# ./auditread.sh
root@test [~]#
root@test [~]# ls /var/log/audit/
./ ../ audit.log
root@test [~]#
root@test [~]#
root@test [~]# head -5 /var/log/audit/audit.log
type=CRED_DISP msg=audit(1213186256.105:20663): user pid=31333 uid=0 auid=0 msg='PAM setcred: user="root" exe="/usr/sbin/sshd" (hostname=hostname.com, addr=11.11.11.11, terminal=ssh result=Success)'
type=USER_END msg=audit(1213186256.108:20664): user pid=31333 uid=0 auid=0 msg='PAM session close: user="root" exe="/usr/sbin/sshd" (hostname=hostname.com, addr=11.11.11.11, terminal=ssh result=Success)'
type=USER_ACCT msg=audit(1213186259.895:20665): user pid=1891 uid=0 auid=4294967295 msg='PAM accounting: user="root" exe="/usr/sbin/sshd" (hostname=hostname.com, addr=11.11.11.11, terminal=ssh result=Success)'
type=CRED_ACQ msg=audit(1213186259.898:20666): user pid=1891 uid=0 auid=4294967295 msg='PAM setcred: user="root" exe="/usr/sbin/sshd" (hostname=hostname.com, addr=11.11.11.11, terminal=ssh result=Success)'
type=LOGIN msg=audit(1213186259.899:20667): login pid=1891 uid=0 old auid=4294967295 new auid=0
root@test [~]#

unSpawn · 06-11-2008, 05:42 PM

True, but it also greps for "^type=SYSCALL.*success=no" since not everybody reads system call numbers (I know I don't). The CRED/USER lines are kind of selfexplanatory IMHO. I mean all that's left to expand are IDs, nothing else is obfuscated, right?

abefroman · 06-11-2008, 07:14 PM

Quote:

Originally Posted by unSpawn

True, but it also greps for "^type=SYSCALL.*success=no" since not everybody reads system call numbers (I know I don't). The CRED/USER lines are kind of selfexplanatory IMHO. I mean all that's left to expand are IDs, nothing else is obfuscated, right?

Thanks! I overlooked that.

abefroman · 06-11-2008, 07:16 PM

You said to post changes here.

I changed this line:
tac /var/log/audit/audit.log | grep -m 30 "^type=SYSCALL.*success=no" | tac | while read LINE; do
to be:
tac /var/log/audit/audit.log |grep -v cron |grep -v login | tac | while read LINE; do

This is useful if you are just watching a few certin files, and want more detailed info than what AIDE can do.

unSpawn · 06-11-2008, 08:17 PM

Thanks for posting, however that won't work (you'd see a lot of "ENOFILE" mistranslations) because not every audit message consist of the same amount and similar value elements:

Code:

SYSCALL:           27
USER_START:        17
USER_END:          17
USER_CHAUTHTOK:    16
USER_ROLE_CHANGE:  15
CONFIG_CHANGE:     10
LOGIN:             9
ANOM_PROMISCUOUS:  6

to post just a few. You could also decide if you want to see *everything* of just everything that's *not* succesful ('egrep "(t=no|s=fail|denied)"').

Just my 2 tangkas.