Re: BSM, SSH, and Session ID



I don't think writing a 'script' to monitor anything at all for that purpose, is going to be ingenius enough to really matter.

You can circumvent the login passing an arg to ssh (avoids recording to 'who' and 'last'):
$ ssh user@host bash

1. Wrapping shells has limited capabilities and there are a ton of ways to work around any controls in place.
a. Someone installs their own version of a shell binary
b.ssh tunneling that opens a port where a custom-written client sits waiting to echo any commands sent to it from a remote host through the tunnel.

2. Solaris has audit features but that could get a little chatty if you log every available command. I would use it to track any basic commands like mv, cp , rm, scp, sftp, unlink.

4. There are commercial tools that provide some controls on top of what Solaris offers, such as limiting access by date/time, some logging similar to shell wrapping.

5. Honestly, I always ran 'script' to capture my actions for my own protection. If you cannot trust your admins, (not the people who just do useradd, etc.), but the guys that setup SAN disk, install patches, troubleshoot, strace, analyze core files, etc), then you are are swimming upriver to start with. **tip: don't piss users off if you don't have to**

As long as you allow someone to login and run any arbitrary commands, they have the potential to avoid any logging or tracking you may set up.

The most common approaches are more tedious but more reliable for reaching the goal I think you are stepping toward:
* audit your system (tripwire, symantec esm, etc) for risks regularly
* require planned and documented requests to make changes, when possible
* lock root with an automated system that can be used for giving out a password to only one person at any one time (holding that person responsible for any impacts created by their access whether they used the id or gave it to a buddy)
* create scripts to automate any repeatable tasks (user mgt, job scheduling, file mgt, etc.) so that the user must use the script and cannot execute the commands directly.

-JA

Crist J. Clark wrote:
I am trying to write a script that does the following:

1) Finds all root logins and su's to root.
2) Tracks all commands run after that login.
3) Associates each command with its login.

Sounds easy, huh? Devil's in the details.

Current method of attack is to find all of the su's and logins,
and save the session ID. Then I can go through and pick out the
'exec' events with that session ID and run as root. My old
method was to follow all of the forks from a login. It was not
pretty, but seemed to work most of the time. I thought following
session IDs would be more robust and less error prone.

But I have a audit trail here that is confounding my best
efforts. What we have is a "forced" SSH command. There are a
few problems with the trail. First, it looks like it starts
forking children before the login. Second, the login has a
different session ID than its children. I'm a bit confused
about what is going on here. Here's the audit trail. It's in
XML format. I find that easier to read with the labels.

What's killing me is that the login (the 'login - ssh' event)
has a different session ID that its children (the 'exec(2)'
of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I
need to revert to my old method? This is Solaris 9 using
the Sun SSH daemon.


<?xml version='1.0' encoding='UTF-8' ?>
<?xml-stylesheet type='text/xsl' href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?>

<!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' 'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'>

<audit>
<file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file>
<record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="731">
<argument arg-num="0" value="0x5e02" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="732">
<path>/usr/bin/sh</path>
<attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" device="0"/>
<exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="741">
<argument arg-num="0" value="0x5e03" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="764">
<path>/usr/bin/locale</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" device="0"/>
<exec_args><arg>/usr/bin/locale</arg><arg>-a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="800">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" msec="801">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="548">
<argument arg-num="0" value="0x5e04" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit policy flags" time="Thu Jan 11 10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST 2007" msec="568">
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="583">
<argument arg-num="0" value="0x5e05" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="598">
<path>/usr/bin/ksh</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" device="0"/>
<exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" msec="614">
<path>/etc/security/sox_baseline</path>
<attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" device="0"/>
<exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>



Relevant Pages

  • Re: To allow access only from the designated site.
    ... as previously stated, js isnt required, i was just having fun, and as ... I want to allow access to it only from site "B" login user. ... one, which one, does one/both have a database, session support? ... and to a script on siteB, and uses RSA for the form, with B's public ...
    (comp.lang.php)
  • Re: To allow access only from the designated site.
    ... I want to allow access to it only from site "B" login user. ... what capabilities do both servers have, do they have php, does only ... one, which one, does one/both have a database, session support? ... and to a script on siteB, and uses RSA for the form, with B's public ...
    (comp.lang.php)
  • Re: To allow access only from the designated site.
    ... I want to allow access to it only from site "B" login user. ... one, which one, does one/both have a database, session support? ... JDS Computer Training Corp. ... and to a script on siteB, and uses RSA for the form, with B's public ...
    (comp.lang.php)
  • Help with sessions on Log in and Log out
    ... I am having some problem working with my script on session ... i have a login page which authenticates users by ... exitand if admin i have included admin page. ...
    (php.general)
  • Re: Strange Error...
    ... All workstations run a logon script at login. ... few lines to use 'net time' commands to sync the time with a local server. ... The 'net time' commands work fine when run from cmd.exe by standard users. ...
    (microsoft.public.scripting.wsh)