Re: BSM, SSH, and Session ID

On Thu, Jan 25, 2007 at 09:49:03PM -0500, Jalex wrote:
I don't think writing a 'script' to monitor anything at all for that
purpose, is going to be ingenius enough to really matter.

You can circumvent the login passing an arg to ssh (avoids recording to
'who' and 'last'):
$ ssh user@host bash

Sorry, I guess I wasn't clear at start of the message. The
script is reading Solaris BSM (auditing) logs.

You cannot circumvent it by doing 'ssh host sh'.

1. Wrapping shells has limited capabilities and there are a ton of ways
to work around any controls in place.
a. Someone installs their own version of a shell binary
b.ssh tunneling that opens a port where a custom-written client
sits waiting to echo any commands sent to it from a remote host through
the tunnel.

Always found running a shell or other arbitrary commands from within
vi or Perl (both usually available from a restricted shell), the
easy way out. But it doesn't matter when using BSM.

2. Solaris has audit features but that could get a little chatty if you
log every available command. I would use it to track any basic commands
like mv, cp , rm, scp, sftp, unlink.

This is exactly what I am doing.

Crist J. Clark wrote:
I am trying to write a script that does the following:

1) Finds all root logins and su's to root.
2) Tracks all commands run after that login.
3) Associates each command with its login.

Sounds easy, huh? Devil's in the details.

Current method of attack is to find all of the su's and logins,
and save the session ID. Then I can go through and pick out the
'exec' events with that session ID and run as root. My old
method was to follow all of the forks from a login. It was not
pretty, but seemed to work most of the time. I thought following
session IDs would be more robust and less error prone.

But I have a audit trail here that is confounding my best
efforts. What we have is a "forced" SSH command. There are a
few problems with the trail. First, it looks like it starts
forking children before the login. Second, the login has a
different session ID than its children. I'm a bit confused
about what is going on here. Here's the audit trail. It's in
XML format. I find that easier to read with the labels.

What's killing me is that the login (the 'login - ssh' event)
has a different session ID that its children (the 'exec(2)'
of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I
need to revert to my old method? This is Solaris 9 using
the Sun SSH daemon.


<?xml version='1.0' encoding='UTF-8' ?>
<?xml-style*** type='text/xsl'
href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?>

<!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN'
'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'>

<audit>
<file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file>
<record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="731">
<argument arg-num="0" value="0x5e02" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="732">
<path>/usr/bin/sh</path>
<attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469"
device="0"/>
<exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="741">
<argument arg-num="0" value="0x5e03" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="764">
<path>/usr/bin/locale</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411"
device="0"/>
<exec_args><arg>/usr/bin/locale</arg><arg>-a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="800">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="801">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007"
msec="548">
<argument arg-num="0" value="0x5e04" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit state" time="Thu Jan 11
10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST
2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit policy flags" time="Thu
Jan 11 10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST
2007" msec="568">
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other"
pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007"
msec="583">
<argument arg-num="0" value="0x5e05" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other"
pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007"
msec="598">
<path>/usr/bin/ksh</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497"
device="0"/>
<exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other"
pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007"
msec="614">
<path>/etc/security/sox_baseline</path>
<attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371"
device="0"/>
<exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other"
pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>

--
Crist J. Clark | cjclark@xxxxxxxxxxxx