BSM, SSH, and Session ID
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
BSM, SSH, and Session ID
by Crist J. Clark-2
::
Rate this Message:
I am trying to write a script that does the following:
1) Finds all root logins and su's to root. 2) Tracks all commands run after that login. 3) Associates each command with its login. Sounds easy, huh? Devil's in the details. Current method of attack is to find all of the su's and logins, and save the session ID. Then I can go through and pick out the 'exec' events with that session ID and run as root. My old method was to follow all of the forks from a login. It was not pretty, but seemed to work most of the time. I thought following session IDs would be more robust and less error prone. But I have a audit trail here that is confounding my best efforts. What we have is a "forced" SSH command. There are a few problems with the trail. First, it looks like it starts forking children before the login. Second, the login has a different session ID than its children. I'm a bit confused about what is going on here. Here's the audit trail. It's in XML format. I find that easier to read with the labels. What's killing me is that the login (the 'login - ssh' event) has a different session ID that its children (the 'exec(2)' of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I need to revert to my old method? This is Solaris 9 using the Sun SSH daemon. <?xml version='1.0' encoding='UTF-8' ?> <?xml-stylesheet type='text/xsl' href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?> <!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' 'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'> <audit> <file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file> <record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="731"> <argument arg-num="0" value="0x5e02" desc="child PID"/> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="732"> <path>/usr/bin/sh</path> <attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" device="0"/> <exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a </arg></exec_args> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="741"> <argument arg-num="0" value="0x5e03" desc="child PID"/> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="764"> <path>/usr/bin/locale</path> <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" device="0"/> <exec_args><arg>/usr/bin/locale</arg><arg>-a </arg></exec_args> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="800"> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="801"> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="548"> <argument arg-num="0" value="0x5e04" desc="child PID"/> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="auditon(2) - get audit policy flags" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST 2007" msec="568"> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="583"> <argument arg-num="0" value="0x5e05" desc="child PID"/> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="598"> <path>/usr/bin/ksh</path> <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" device="0"/> <exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline </arg></exec_args> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="614"> <path>/etc/security/sox_baseline</path> <attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" device="0"/> <exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline </arg></exec_args> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> <return errval="success" retval="0"/> </record> -- Crist J. Clark | cjclark@... |
|
|
Re: BSM, SSH, and Session ID
by Jim Stewart-3
::
Rate this Message:
Although I haven't tried it on solaris I use sudosh to accomplish a
similar task for auditing the usage of the root account on Linux and AIX. That might help you out. -Jim On 1/22/07, Crist J. Clark <cristclark@...> wrote: > I am trying to write a script that does the following: > > 1) Finds all root logins and su's to root. > 2) Tracks all commands run after that login. > 3) Associates each command with its login. > > Sounds easy, huh? Devil's in the details. > > Current method of attack is to find all of the su's and logins, > and save the session ID. Then I can go through and pick out the > 'exec' events with that session ID and run as root. My old > method was to follow all of the forks from a login. It was not > pretty, but seemed to work most of the time. I thought following > session IDs would be more robust and less error prone. > > But I have a audit trail here that is confounding my best > efforts. What we have is a "forced" SSH command. There are a > few problems with the trail. First, it looks like it starts > forking children before the login. Second, the login has a > different session ID than its children. I'm a bit confused > about what is going on here. Here's the audit trail. It's in > XML format. I find that easier to read with the labels. > > What's killing me is that the login (the 'login - ssh' event) > has a different session ID that its children (the 'exec(2)' > of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I > need to revert to my old method? This is Solaris 9 using > the Sun SSH daemon. > > > <?xml version='1.0' encoding='UTF-8' ?> > <?xml-stylesheet type='text/xsl' href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?> > > <!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' 'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'> > > <audit> > <file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file> > <record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="731"> > <argument arg-num="0" value="0x5e02" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="732"> > <path>/usr/bin/sh</path> > <attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" device="0"/> > <exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="741"> > <argument arg-num="0" value="0x5e03" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="764"> > <path>/usr/bin/locale</path> > <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" device="0"/> > <exec_args><arg>/usr/bin/locale</arg><arg>-a > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="800"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="801"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="548"> > <argument arg-num="0" value="0x5e04" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="auditon(2) - get audit policy flags" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST 2007" msec="568"> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="583"> > <argument arg-num="0" value="0x5e05" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="598"> > <path>/usr/bin/ksh</path> > <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" device="0"/> > <exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="614"> > <path>/etc/security/sox_baseline</path> > <attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" device="0"/> > <exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > -- > Crist J. Clark | cjclark@... > |
|
|
Re: BSM, SSH, and Session ID
by Jalex-2
::
Rate this Message:
I don't think writing a 'script' to monitor anything at all for that
purpose, is going to be ingenius enough to really matter. You can circumvent the login passing an arg to ssh (avoids recording to 'who' and 'last'): $ ssh user@host bash 1. Wrapping shells has limited capabilities and there are a ton of ways to work around any controls in place. a. Someone installs their own version of a shell binary b.ssh tunneling that opens a port where a custom-written client sits waiting to echo any commands sent to it from a remote host through the tunnel. 2. Solaris has audit features but that could get a little chatty if you log every available command. I would use it to track any basic commands like mv, cp , rm, scp, sftp, unlink. 4. There are commercial tools that provide some controls on top of what Solaris offers, such as limiting access by date/time, some logging similar to shell wrapping. 5. Honestly, I always ran 'script' to capture my actions for my own protection. If you cannot trust your admins, (not the people who just do useradd, etc.), but the guys that setup SAN disk, install patches, troubleshoot, strace, analyze core files, etc), then you are are swimming upriver to start with. **tip: don't piss users off if you don't have to** As long as you allow someone to login and run any arbitrary commands, they have the potential to avoid any logging or tracking you may set up. The most common approaches are more tedious but more reliable for reaching the goal I think you are stepping toward: * audit your system (tripwire, symantec esm, etc) for risks regularly * require planned and documented requests to make changes, when possible * lock root with an automated system that can be used for giving out a password to only one person at any one time (holding that person responsible for any impacts created by their access whether they used the id or gave it to a buddy) * create scripts to automate any repeatable tasks (user mgt, job scheduling, file mgt, etc.) so that the user must use the script and cannot execute the commands directly. -JA Crist J. Clark wrote: > I am trying to write a script that does the following: > > 1) Finds all root logins and su's to root. > 2) Tracks all commands run after that login. > 3) Associates each command with its login. > > Sounds easy, huh? Devil's in the details. > > Current method of attack is to find all of the su's and logins, > and save the session ID. Then I can go through and pick out the > 'exec' events with that session ID and run as root. My old > method was to follow all of the forks from a login. It was not > pretty, but seemed to work most of the time. I thought following > session IDs would be more robust and less error prone. > > But I have a audit trail here that is confounding my best > efforts. What we have is a "forced" SSH command. There are a > few problems with the trail. First, it looks like it starts > forking children before the login. Second, the login has a > different session ID than its children. I'm a bit confused > about what is going on here. Here's the audit trail. It's in > XML format. I find that easier to read with the labels. > > What's killing me is that the login (the 'login - ssh' event) > has a different session ID that its children (the 'exec(2)' > of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I > need to revert to my old method? This is Solaris 9 using > the Sun SSH daemon. > > > <?xml version='1.0' encoding='UTF-8' ?> > <?xml-stylesheet type='text/xsl' href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?> > > <!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' 'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'> > > <audit> > <file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file> > <record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="731"> > <argument arg-num="0" value="0x5e02" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="732"> > <path>/usr/bin/sh</path> > <attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" device="0"/> > <exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="741"> > <argument arg-num="0" value="0x5e03" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="764"> > <path>/usr/bin/locale</path> > <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" device="0"/> > <exec_args><arg>/usr/bin/locale</arg><arg>-a > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="800"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="801"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="548"> > <argument arg-num="0" value="0x5e04" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="auditon(2) - get audit policy flags" time="Thu Jan 11 10:46:21 PST 2007" msec="557"> > <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST 2007" msec="568"> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="583"> > <argument arg-num="0" value="0x5e05" desc="child PID"/> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="598"> > <path>/usr/bin/ksh</path> > <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" device="0"/> > <exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> > <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="614"> > <path>/etc/security/sox_baseline</path> > <attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" device="0"/> > <exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline > </arg></exec_args> > <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > <return errval="success" retval="0"/> > </record> |
|
|
Re: BSM, SSH, and Session ID
by Crist J. Clark-2
::
Rate this Message:
On Thu, Jan 25, 2007 at 09:49:03PM -0500, Jalex wrote:
> I don't think writing a 'script' to monitor anything at all for that > purpose, is going to be ingenius enough to really matter. > > You can circumvent the login passing an arg to ssh (avoids recording to > 'who' and 'last'): > $ ssh user@host bash Sorry, I guess I wasn't clear at start of the message. The script is reading Solaris BSM (auditing) logs. You cannot circumvent it by doing 'ssh host sh'. > 1. Wrapping shells has limited capabilities and there are a ton of ways > to work around any controls in place. > a. Someone installs their own version of a shell binary > b.ssh tunneling that opens a port where a custom-written client > sits waiting to echo any commands sent to it from a remote host through > the tunnel. Always found running a shell or other arbitrary commands from within vi or Perl (both usually available from a restricted shell), the easy way out. But it doesn't matter when using BSM. > 2. Solaris has audit features but that could get a little chatty if you > log every available command. I would use it to track any basic commands > like mv, cp , rm, scp, sftp, unlink. This is exactly what I am doing. > Crist J. Clark wrote: > >I am trying to write a script that does the following: > > > > 1) Finds all root logins and su's to root. > > 2) Tracks all commands run after that login. > > 3) Associates each command with its login. > > > >Sounds easy, huh? Devil's in the details. > > > >Current method of attack is to find all of the su's and logins, > >and save the session ID. Then I can go through and pick out the > >'exec' events with that session ID and run as root. My old > >method was to follow all of the forks from a login. It was not > >pretty, but seemed to work most of the time. I thought following > >session IDs would be more robust and less error prone. > > > >But I have a audit trail here that is confounding my best > >efforts. What we have is a "forced" SSH command. There are a > >few problems with the trail. First, it looks like it starts > >forking children before the login. Second, the login has a > >different session ID than its children. I'm a bit confused > >about what is going on here. Here's the audit trail. It's in > >XML format. I find that easier to read with the labels. > > > >What's killing me is that the login (the 'login - ssh' event) > >has a different session ID that its children (the 'exec(2)' > >of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I > >need to revert to my old method? This is Solaris 9 using > >the Sun SSH daemon. > > > > > ><?xml version='1.0' encoding='UTF-8' ?> > ><?xml-stylesheet type='text/xsl' > >href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?> > > > ><!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' > >'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'> > > > ><audit> > ><file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file> > ><record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="731"> > ><argument arg-num="0" value="0x5e02" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="732"> > ><path>/usr/bin/sh</path> > ><attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" > >device="0"/> > ><exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="741"> > ><argument arg-num="0" value="0x5e03" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="764"> > ><path>/usr/bin/locale</path> > ><attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" > >device="0"/> > ><exec_args><arg>/usr/bin/locale</arg><arg>-a > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="800"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="801"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="548"> > ><argument arg-num="0" value="0x5e04" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 > >10:46:21 PST 2007" msec="557"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST > >2007" msec="557"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="auditon(2) - get audit policy flags" time="Thu > >Jan 11 10:46:21 PST 2007" msec="557"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST > >2007" msec="568"> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="583"> > ><argument arg-num="0" value="0x5e05" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="598"> > ><path>/usr/bin/ksh</path> > ><attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" > >device="0"/> > ><exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="614"> > ><path>/etc/security/sox_baseline</path> > ><attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" > >device="0"/> > ><exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> -- Crist J. Clark | cjclark@... |
|
|
Re: BSM, SSH, and Session ID
by Jalex-2
::
Rate this Message:
Solaris BSM makes more sense. I didn't realize it was the praudit xml
output. Are you logging in as root through ssh or is that just the way it is logging it? I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, not root's. It should always be a different session, even if the user login is root. Are you just auditing the root user? >> Crist J. Clark wrote: >>> I am trying to write a script that does the following: >>> >>> 1) Finds all root logins and su's to root. >>> 2) Tracks all commands run after that login. >>> 3) Associates each command with its login. >>> >>> Sounds easy, huh? Devil's in the details. >>> >>> Current method of attack is to find all of the su's and logins, >>> and save the session ID. Then I can go through and pick out the >>> 'exec' events with that session ID and run as root. My old >>> method was to follow all of the forks from a login. It was not >>> pretty, but seemed to work most of the time. I thought following >>> session IDs would be more robust and less error prone. >>> >>> But I have a audit trail here that is confounding my best >>> efforts. What we have is a "forced" SSH command. There are a >>> few problems with the trail. First, it looks like it starts >>> forking children before the login. Second, the login has a >>> different session ID than its children. I'm a bit confused >>> about what is going on here. Here's the audit trail. It's in >>> XML format. I find that easier to read with the labels. >>> >>> What's killing me is that the login (the 'login - ssh' event) >>> has a different session ID that its children (the 'exec(2)' >>> of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I >>> need to revert to my old method? This is Solaris 9 using >>> the Sun SSH daemon. >>> >>> >>> <?xml version='1.0' encoding='UTF-8' ?> >>> <?xml-stylesheet type='text/xsl' >>> href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?> >>> >>> <!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' >>> 'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'> >>> >>> <audit> >>> <file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file> >>> <record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" >>> msec="731"> >>> <argument arg-num="0" value="0x5e02" desc="child PID"/> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" >>> msec="732"> >>> <path>/usr/bin/sh</path> >>> <attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" >>> device="0"/> >>> <exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a >>> </arg></exec_args> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" >>> msec="741"> >>> <argument arg-num="0" value="0x5e03" desc="child PID"/> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" >>> msec="764"> >>> <path>/usr/bin/locale</path> >>> <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" >>> device="0"/> >>> <exec_args><arg>/usr/bin/locale</arg><arg>-a >>> </arg></exec_args> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" >>> msec="800"> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" >>> msec="801"> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" >>> msec="548"> >>> <argument arg-num="0" value="0x5e04" desc="child PID"/> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 >>> 10:46:21 PST 2007" msec="557"> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST >>> 2007" msec="557"> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="auditon(2) - get audit policy flags" time="Thu >>> Jan 11 10:46:21 PST 2007" msec="557"> >>> <subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" >>> pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST >>> 2007" msec="568"> >>> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" >>> pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" >>> msec="583"> >>> <argument arg-num="0" value="0x5e05" desc="child PID"/> >>> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" >>> pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" >>> msec="598"> >>> <path>/usr/bin/ksh</path> >>> <attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" >>> device="0"/> >>> <exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline >>> </arg></exec_args> >>> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" >>> pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> >>> <record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" >>> msec="614"> >>> <path>/etc/security/sox_baseline</path> >>> <attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" >>> device="0"/> >>> <exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline >>> </arg></exec_args> >>> <subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" >>> pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> >>> <return errval="success" retval="0"/> >>> </record> > |
|
|
Re: BSM, SSH, and Session ID
by Crist J. Clark-2
::
Rate this Message:
On Fri, Jan 26, 2007 at 08:03:04PM -0500, Jalex wrote:
> Solaris BSM makes more sense. I didn't realize it was the praudit xml > output. > > Are you logging in as root through ssh or is that just the way it is > logging it? Yes. The particular example below is a "forced command" assocaited with a specific "authorized key." Root cannot log in except "without password" and all authorized keys have forced commands for some specific tasks. > I can't recall how Sun SSH on Solaris 9 behaves but recent versions of > Sun SSH/OpenSSH should fork off before the login because the sshd > process that a user is connected to after authentication runs with their > privileges, not root's. It should always be a different session, even > if the user login is root. Something like that is going on, but it's not turning out how I would expect. Here's the process tree, sshd [26065] | \ | sh -c locale -a | [26066] | \ | locale -a |\ [26067] | \ | sshd | [26068] | \ | ksh -c etc/security/sox_baseline | [26069] (auditon) \... (ssh - login) So, we start with the sshd child spawned by the listening daemon, 26065. It runs the locale command. Then it spins off another child, 26068. This child runs the forced command and all of those children sprout off of that branch. The parent sshd doesn't call auditon, log the login, or change the session ID until _after_ it's forked the child doing all of the work. I've trussed sshd, but it just made my head hurt more. What gets annoying in other cases is that if the user logging in is non-root, the "audit user" is root for all of the children processes doing the work, like 26068 in this case, and the "do nothing" main sshd process is the one that gets its audit user changed to the user loging in. I end up with a bunch of logs that I don't want. > Are you just auditing the root user? For all exec's and fork's, yes, just root. > >>Crist J. Clark wrote: > >>>I am trying to write a script that does the following: > >>> > >>> 1) Finds all root logins and su's to root. > >>> 2) Tracks all commands run after that login. > >>> 3) Associates each command with its login. > >>> > >>>Sounds easy, huh? Devil's in the details. > >>> > >>>Current method of attack is to find all of the su's and logins, > >>>and save the session ID. Then I can go through and pick out the > >>>'exec' events with that session ID and run as root. My old > >>>method was to follow all of the forks from a login. It was not > >>>pretty, but seemed to work most of the time. I thought following > >>>session IDs would be more robust and less error prone. > >>> > >>>But I have a audit trail here that is confounding my best > >>>efforts. What we have is a "forced" SSH command. There are a > >>>few problems with the trail. First, it looks like it starts > >>>forking children before the login. Second, the login has a > >>>different session ID than its children. I'm a bit confused > >>>about what is going on here. Here's the audit trail. It's in > >>>XML format. I find that easier to read with the labels. > >>> > >>>What's killing me is that the login (the 'login - ssh' event) > >>>has a different session ID that its children (the 'exec(2)' > >>>of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I > >>>need to revert to my old method? This is Solaris 9 using > >>>the Sun SSH daemon. > >>> > >>> > >>><?xml version='1.0' encoding='UTF-8' ?> > >>><?xml-stylesheet type='text/xsl' > >>>href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?> > >>> > >>><!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' > >>>'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'> > >>> > >>><audit> > >>><file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file> > >>><record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" > >>>msec="731"> > >>><argument arg-num="0" value="0x5e02" desc="child PID"/> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST > >>>2007" msec="732"> > >>><path>/usr/bin/sh</path> > >>><attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" > >>>device="0"/> > >>><exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a > >>></arg></exec_args> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" > >>>msec="741"> > >>><argument arg-num="0" value="0x5e03" desc="child PID"/> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST > >>>2007" msec="764"> > >>><path>/usr/bin/locale</path> > >>><attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" > >>>device="0"/> > >>><exec_args><arg>/usr/bin/locale</arg><arg>-a > >>></arg></exec_args> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" > >>>msec="800"> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" > >>>msec="801"> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" > >>>msec="548"> > >>><argument arg-num="0" value="0x5e04" desc="child PID"/> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="auditon(2) - get audit state" time="Thu Jan > >>>11 10:46:21 PST 2007" msec="557"> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 > >>>PST 2007" msec="557"> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="auditon(2) - get audit policy flags" > >>>time="Thu Jan 11 10:46:21 PST 2007" msec="557"> > >>><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >>>pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST > >>>2007" msec="568"> > >>><subject audit-uid="root" uid="root" gid="other" ruid="root" > >>>rgid="other" pid="24065" sid="3603920788" tid="11953 196630 > >>>spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" > >>>msec="583"> > >>><argument arg-num="0" value="0x5e05" desc="child PID"/> > >>><subject audit-uid="root" uid="root" gid="other" ruid="root" > >>>rgid="other" pid="24068" sid="3539585011" tid="11953 196630 > >>>spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST > >>>2007" msec="598"> > >>><path>/usr/bin/ksh</path> > >>><attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" > >>>device="0"/> > >>><exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline > >>></arg></exec_args> > >>><subject audit-uid="root" uid="root" gid="other" ruid="root" > >>>rgid="other" pid="24069" sid="3539585011" tid="11953 196630 > >>>spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > >>><record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST > >>>2007" msec="614"> > >>><path>/etc/security/sox_baseline</path> > >>><attribute mode="100755" uid="root" gid="other" fsid="136" > >>>nodeid="64371" device="0"/> > >>><exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline > >>></arg></exec_args> > >>><subject audit-uid="root" uid="root" gid="other" ruid="root" > >>>rgid="other" pid="24069" sid="3539585011" tid="11953 196630 > >>>spa.example.com"/> > >>><return errval="success" retval="0"/> > >>></record> > > -- Crist J. Clark | cjclark@... |
| Free embeddable forum powered by Nabble | Forum Help |
