Linux – suppress audit events from a specific user

auditdlinux

I'm trying to track down the source cause of a breakin on a serverhosting customer's website.

auditd is a great help in showing me what directory to look in when yet another bit of malware (the site is something of a mess, but not mine to clear up even if I wanted to) activates and screws up the site, but the audit logs are tricky to read because it also logs the ssh activity from a monitoring script that connects every two minutes to check various statuses, as well as another monitoring system that's triggered by cron.

I've made several attempts in auditctl to tell it to stop reporting these:

root@zelia:/var/log/audit# auditctl -l 
-a never,user -F auid=116
-a never,task -F auid=116
-a never,exit -S all -F auid=116
-a never,exit -S all -F uid=116

(UID 116, user 'meminfo' is the one I want to suppress)

However, every few minutes I still get the following:

type=USER_ACCT msg=audit(1491386883.189:462708): pid=1502 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="meminfo" exe="/usr/sbin/sshd" hostname=prtg.systemec.nl addr=89.20.80.149 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1491386883.189:462709): pid=1502 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="meminfo" exe="/usr/sbin/sshd" hostname=monitor.company.internal addr=89.20.80.149 terminal=ssh res=success'
type=LOGIN msg=audit(1491386883.189:462710): pid=1502 uid=0 old-auid=4294967295 auid=116 old-ses=4294967295 ses=368164 res=1
type=USER_ACCT msg=audit(1491386883.197:462711): pid=1504 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="meminfo" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1491386883.197:462712): pid=1504 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="meminfo" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1491386883.213:462713): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="user@116" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1491386883.365:462714): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="user@116" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

As a result, audit logs keep filling up and I'm missing important backlog.

On the other hand, while I don't think the breakin is happening via SSH, a log of who logs onto the server when may be useful to have handy.

Obviously, the rules I attempted to add to keep meminfo suppressed don't work correctly. What am I doing wrong?

ADDENDUM For some reason, adding auditctl -a never,task afterwards causes the never,task rule to be loaded first and everything gets suppressed, including what I really did want to see.

ADDENDUM #2 As explained in this question, the messages I'm trying to suppress are generated by default by the PAM subsystems and not by additional rules in audit.rules, so that's an additional problem…

Best Answer

In your logfile, uid=0 on these lines means these processes are started by the root, not meminfo.

auid=500

The auid field records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with the su - john command).

uid=500

The uid field records the user ID of the user who started the analyzed process. The user ID can be interpreted into user names with the following command: ausearch -i --uid UID. In this case, 500 is the user ID of user shadowman.

This may be caused by running the program from root users crontab or if the process invokes a service that must be first started as root (with setuid) to enable it to use privileged ports <1024.

Probably you do not want to suppress all auid=0 activity as it would suppress something meaningful.

If your auditd can filter by process name i.e. exe=, like RHEL7 since BZ#1135562, suppressing sshd started by root should be safe IF you also have PermitRootLogin no:

auditctl
    -a never,user -F auid=0 -F exe="/usr/sbin/sshd"
    -a never,task -F auid=0 -F exe="/usr/sbin/sshd"

However, in most cases -F is limited to fields outside msg=' ' and only has operators that won't allow regular expressions: -F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v].

One option is to increase the max_log_file or num_logs to keep more history, if the log size is not a problem. You don't have to read the log format directly, as you have aureport and ausearch.

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

How to prevent logging USER_AUTH and USER_LOGIN events with auditd

For things you don't want in the audit logs, you can add them to an exclude filter. So if you want to exclude logins, you can do

[root@finch jenny]# auditctl -a exclude,never -F msgtype=USER_AUTH
[root@finch jenny]# auditctl -a exclude,never -F msgtype=LOGIN

will stop logging of all logins, successful or not. For more information about how to create these rules, see the man page for auditctl.

However, you might simply use aureport to search for the logs you do want, instead of blocking the ones you don't.

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

How to prevent logging USER_AUTH and USER_LOGIN events with auditd

Related Topic