kernel audit logging wont work

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

kernel audit logging wont work

Postby frankcc » Sat Jun 07, 2003 2:32 am

i have specified kernel auditing to log everything on the group 1002 (shellusers) but it dont log anything from them.... not in /var/log/messages or /var/log/syslog even.

anybody?
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby spender » Sat Jun 07, 2003 12:15 pm

Check your syslog.conf, and look for a rule on kern.info or kern.*, and see where the auditing logs are being output.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby frankcc » Sat Jun 07, 2003 12:44 pm

spender wrote:Check your syslog.conf, and look for a rule on kern.info or kern.*, and see where the auditing logs are being output.

-Brad

it stands
kern.* -/var/log/kern.log

but they are not there...
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby spender » Sat Jun 07, 2003 12:54 pm

Can you paste your config?
You might have enabled sysctl support and forgotten to enable the various options/set the GIDs.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby frankcc » Sat Jun 07, 2003 12:58 pm

spender wrote:Can you paste your config?
You might have enabled sysctl support and forgotten to enable the various options/set the GIDs.

-Brad



# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

#
# Some `catch-all' logfiles.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg *

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.crit;news.err;news.notice;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby spender » Sat Jun 07, 2003 1:08 pm

Sorry, I meant the grsecurity portion of your kernel config.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby frankcc » Sat Jun 07, 2003 1:14 pm

spender wrote:Sorry, I meant the grsecurity portion of your kernel config.

-Brad


where do i find that?
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby spender » Sat Jun 07, 2003 1:17 pm

In your kernel source tree, the file is named ".config"

ls /proc/sys/kernel/grsecurity

Will also tell me what I needed to know.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby frankcc » Sat Jun 07, 2003 1:20 pm

spender wrote:In your kernel source tree, the file is named ".config"

ls /proc/sys/kernel/grsecurity

Will also tell me what I needed to know.

-Brad


debian:~# ls /proc/sys/kernel/grsecurity
acl audit_ipc fifo_restrictions signal_logging
audit_chdir audit_mount forkfail_logging timechange_logging
audit_gid chroot_execlog grsec_lock
audit_group exec_logging linking_restrictions

Here you will find the kernel config
http://blackout.ath.cx/~frankcc/.config
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby frankcc » Tue Jun 10, 2003 3:25 am

please help me, i really need to get this working.

i tryed to cat everything in /proc/sys/kernel/grsecurity

and the output was "0" on all of the files.
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby spender » Tue Jun 10, 2003 10:05 am

Go back and read the kernel configuration help for the sysctl option. You need to echo 1 to the features you want to enable, and echo a gid to the options with "gid" in their name, to set the gid to operate on for the particular feature.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby frankcc » Wed Jun 11, 2003 7:31 am

well, how do i do that? i have read the acl things...

debian:/proc/sys/kernel/grsecurity# echo 1002 audit_group
1002 audit_group
debian:/proc/sys/kernel/grsecurity# cat audit_group
0
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby fonya » Wed Jun 11, 2003 8:37 am

Try this:
echo 1002 > /proc/sys/kernel/grsecurity/audit_group


Don't forget the '>' sign!!!
fonya
 
Posts: 36
Joined: Thu Mar 28, 2002 11:22 am

Postby frankcc » Wed Jun 11, 2003 9:09 am

lol, cant believe i forgot that.

but it still dont work...
:-?
frankcc
 
Posts: 12
Joined: Wed May 28, 2003 3:12 pm

Postby spender » Wed Jun 11, 2003 9:23 am

You only echo a gid to the entries with "gid" in their name. For that one, you echo a 1 to it to enable the gid-based auditing.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Next

Return to grsecurity support