I'm trying to track down the source cause of a breakin on a serverhosting customer's website.
auditd is a great help in showing me what directory to look in when yet another bit of malware (the site is something of a mess, but not mine to clear up even if I wanted to) activates and screws up the site, but the audit logs are tricky to read because it also logs the ssh activity from a monitoring script that connects every two minutes to check various statuses, as well as another monitoring system that's triggered by cron.
I've made several attempts in auditctl to tell it to stop reporting these:
root@zelia:/var/log/audit# auditctl -l
-a never,user -F auid=116
-a never,task -F auid=116
-a never,exit -S all -F auid=116
-a never,exit -S all -F uid=116
(UID 116, user 'meminfo' is the one I want to suppress)
However, every few minutes I still get the following:
type=USER_ACCT msg=audit(1491386883.189:462708): pid=1502 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="meminfo" exe="/usr/sbin/sshd" hostname=prtg.systemec.nl addr=89.20.80.149 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1491386883.189:462709): pid=1502 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="meminfo" exe="/usr/sbin/sshd" hostname=monitor.company.internal addr=89.20.80.149 terminal=ssh res=success'
type=LOGIN msg=audit(1491386883.189:462710): pid=1502 uid=0 old-auid=4294967295 auid=116 old-ses=4294967295 ses=368164 res=1
type=USER_ACCT msg=audit(1491386883.197:462711): pid=1504 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="meminfo" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1491386883.197:462712): pid=1504 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="meminfo" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1491386883.213:462713): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="user@116" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1491386883.365:462714): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="user@116" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
As a result, audit logs keep filling up and I'm missing important backlog.
On the other hand, while I don't think the breakin is happening via SSH, a log of who logs onto the server when may be useful to have handy.
Obviously, the rules I attempted to add to keep meminfo suppressed don't work correctly. What am I doing wrong?
ADDENDUM For some reason, adding auditctl -a never,task afterwards causes the never,task rule to be loaded first and everything gets suppressed, including what I really did want to see.
ADDENDUM #2 As explained in this question, the messages I'm trying to suppress are generated by default by the PAM subsystems and not by additional rules in audit.rules, so that's an additional problem...
In your logfile,
uid=0on these lines means these processes are started by theroot, notmeminfo.This may be caused by running the program from
rootuserscrontabor if the process invokes a service that must be first started asroot(withsetuid) to enable it to use privileged ports<1024.Probably you do not want to suppress all
auid=0activity as it would suppress something meaningful.If your
auditdcan filter by process name i.e.exe=, like RHEL7 since BZ#1135562, suppressingsshdstarted byrootshould be safe IF you also havePermitRootLogin no:However, in most cases
-Fis limited to fields outsidemsg=' 'and only has operators that won't allow regular expressions:-F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v].One option is to increase the
max_log_fileornum_logsto keep more history, if the log size is not a problem. You don't have to read the log format directly, as you haveaureportandausearch.