Security Event Auditing - Auditd

[marekzima]

Hello,

I have successfully configured 'auditd' and also 'auditdistd', but I've got one problem.
Let me describe ...
1. I have disabled root access via SSH, and disallowed 'su -', so only sudo for couple of admins is allowed
2. I've configured to audit also file access (create, delete, modify, read, ...)
3. Everything works fine ... but ... !!!!

!!!! .... but .... if admin restart service via 'sudo service <name> restart' or '/etc/rc.d/<name> ...
then the audit logs everything configured for user which runs service via 'sudo'.

f.e. if 'sudo service postfix restart' is done, service runs under postfix user as it should but auditd logs events for postfix process (file access) under user which executed this 'sudo' command, so every file access postfix does (mail creation, mail open ... etc.) is logged as user activity. (I've tired also 'su -' - I allowed it for test, but the behaviour of audit is the same as for sudo command)

Is it possible to solve this? To make some exceptions or what to do? I'd like to monitor sysadmins work on servers but if they restart service than it should be the last audit log (they executed something and that's all).

Thanks for every help.

Marek

 

[SirDice]

I probably wouldn't 'disable' su(1), lots of daemons are started through it. Only users in the wheel group are allowed to su(1) so don't add users to that group. That effectively disables users accessing it while still allowing root to su(1) for various daemons.

 

[marekzima]

I mean that ... disabled 'su -' for user means, it is not in 'wheel' group
But this is not my problem, my problem is to create some exception (like f.e. redhat has with audit.rules).
1. I will log to system as 'testuser' .... audit logs login of test user
2. testuser runs: sudo service postfix restart .... audit logs test user accessed to postfix and executed it
3. <<<<PROBLEM>>>> .... postfix runs under user 'postfix' (not testuser) ... but ... audit logs every file access which postfix does as 'testuser' does !!!!

As I wrote, I need to monitor what sysadmins do but when he runs the service, the action of service should not be audited (logged).

So, if you know, please, help me (do not discuss about 'su -' it does not matter if I do "sudo service postfix start" or I do 'su -' and then "# service postfix start", the behaviour of audit logs is the same ... it records every file access which postfix does as it was done by user which runs the service ... and this is my problem ... I'd like to eliminate that !

 

[SirDice]

postfix runs under user 'postfix' (not testuser)

Yes, that's the correct behavior.

... but ... audit logs every file access which postfix does as 'testuser' does !!!!

This doesn't sound right indeed.

do not discuss about 'su -' it does not matter if I do "sudo service postfix start" or I do 'su -' and then "# service postfix start", the behaviour of audit logs is the same

Actually, there should be a difference between sudo service ... and su -. The difference being that sudo somecommand doesn't run a login shell whereas su - does.

Is there a difference if you use sudo -i compared to su -?

 

[marekzima]

Hello,

It does not matter if I use 'sudo service postfix restart' or I do 'su -' or 'sudo -i' ...
----
$ sudo -i
root@mail_node_2:~ # service postfix restart
postfix/postfix-script: stopping the Postfix mail system
postfix/postfix-script: waiting for the Postfix mail system to terminate
postfix/postfix-script: starting the Postfix mail system
----
After that I see in my logs this:
----
header,184,11,rename(2),0,Fri Jul 12 19:12:31 2019, + 490 msec
path,/var/spool/postfix/incoming/489940.38075
attribute,600,postfix,wheel,73,3691825,0
path,/var/spool/postfix/incoming/77A1F385531
subject,testuser,postfix,postfix,postfix,postfix,38075,37821,49895,10.10.10.6
return,success,0
trailer,184
----

Mail is incomming, postfix is working on it but because the service start was initiated by 'testuser' it logs now all postfix activity (according user settings: testuser:lo,+fr,+fw,+fc,+fd:no in audit_user config file) as it is activity of that user.

And this I do not want ... why it is happening ? (I can understand, that you see all things user starts, so you see if he run some bad code and what that code (app) does, OK), but I'd like to control it ... when he starts regular service, to do not do that.

'cause postfix is doing his job and not the user ... after that user is filling logs and it is not user job but postfix job!
How to eliminate that?

Thanks

Marek

 

[marekzima]

So, It looks like, nobody knows

 

[SirDice]

I too would expect to see the postfix messages to be logged as the 'postfix' user, not the user that happened to have started the service. But my knowledge of auditd(8) doesn't extend far enough to help you with it. I've tried to eliminate some possible causes but those appear to be dead-ends. So I'm just as stumped as you.

I'd try one of the mailing lists if you really want to know why. Although, admittedly, I'm not even sure which one would be best to ask on. Maybe try freebsd-security@ fist as that seems to be the most appropriate.

 

[marekzima]

OK.
RedHat has additional "audit.rules" config file, where you can do some exceptions ... FreeBSD does not have it yet
I've created 2 scripts, 1st replaced 'service' command which create temp file with requested action. 2nd runs as root in cron every minute and read this temp file and do service action requested
This works fine, however you do not see possible warnings or error outputs, but cron script can log it to separate log file
and of course sysadmin does not have to use /etc/rc.d/<service> command directly ... I put it into rules of use

So, I'll see, maybe FreeBSD will create new version as RedHat did or I will have to look for some 3rd party solutions I like FreeBSD more that RedHat

Thanks anyway.