Re: BSM, SSH, and Session ID



On Fri, Jan 26, 2007 at 08:03:04PM -0500, Jalex wrote:
Solaris BSM makes more sense. I didn't realize it was the praudit xml
output.

Are you logging in as root through ssh or is that just the way it is
logging it?

Yes. The particular example below is a "forced command"
assocaited with a specific "authorized key." Root cannot
log in except "without password" and all authorized keys
have forced commands for some specific tasks.

I can't recall how Sun SSH on Solaris 9 behaves but recent versions of
Sun SSH/OpenSSH should fork off before the login because the sshd
process that a user is connected to after authentication runs with their
privileges, not root's. It should always be a different session, even
if the user login is root.

Something like that is going on, but it's not turning out
how I would expect. Here's the process tree,

sshd
[26065]
| \
| sh -c locale -a
| [26066]
| \
| locale -a
|\ [26067]
| \
| sshd
| [26068]
| \
| ksh -c etc/security/sox_baseline
| [26069]
(auditon) \...
(ssh - login)

So, we start with the sshd child spawned by the listening daemon,
26065. It runs the locale command. Then it spins off another
child, 26068. This child runs the forced command and all of
those children sprout off of that branch. The parent sshd doesn't
call auditon, log the login, or change the session ID until
_after_ it's forked the child doing all of the work.

I've trussed sshd, but it just made my head hurt more.

What gets annoying in other cases is that if the user logging
in is non-root, the "audit user" is root for all of the children
processes doing the work, like 26068 in this case, and the
"do nothing" main sshd process is the one that gets its audit
user changed to the user loging in. I end up with a bunch of
logs that I don't want.

Are you just auditing the root user?

For all exec's and fork's, yes, just root.

Crist J. Clark wrote:
I am trying to write a script that does the following:

1) Finds all root logins and su's to root.
2) Tracks all commands run after that login.
3) Associates each command with its login.

Sounds easy, huh? Devil's in the details.

Current method of attack is to find all of the su's and logins,
and save the session ID. Then I can go through and pick out the
'exec' events with that session ID and run as root. My old
method was to follow all of the forks from a login. It was not
pretty, but seemed to work most of the time. I thought following
session IDs would be more robust and less error prone.

But I have a audit trail here that is confounding my best
efforts. What we have is a "forced" SSH command. There are a
few problems with the trail. First, it looks like it starts
forking children before the login. Second, the login has a
different session ID than its children. I'm a bit confused
about what is going on here. Here's the audit trail. It's in
XML format. I find that easier to read with the labels.

What's killing me is that the login (the 'login - ssh' event)
has a different session ID that its children (the 'exec(2)'
of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I
need to revert to my old method? This is Solaris 9 using
the Sun SSH daemon.


<?xml version='1.0' encoding='UTF-8' ?>
<?xml-stylesheet type='text/xsl'
href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?>

<!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN'
'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'>

<audit>
<file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file>
<record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="731">
<argument arg-num="0" value="0x5e02" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST
2007" msec="732">
<path>/usr/bin/sh</path>
<attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469"
device="0"/>
<exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="741">
<argument arg-num="0" value="0x5e03" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST
2007" msec="764">
<path>/usr/bin/locale</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411"
device="0"/>
<exec_args><arg>/usr/bin/locale</arg><arg>-a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="800">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007"
msec="801">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007"
msec="548">
<argument arg-num="0" value="0x5e04" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit state" time="Thu Jan
11 10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21
PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit policy flags"
time="Thu Jan 11 10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root"
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST
2007" msec="568">
<subject audit-uid="root" uid="root" gid="other" ruid="root"
rgid="other" pid="24065" sid="3603920788" tid="11953 196630
spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007"
msec="583">
<argument arg-num="0" value="0x5e05" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="other" ruid="root"
rgid="other" pid="24068" sid="3539585011" tid="11953 196630
spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST
2007" msec="598">
<path>/usr/bin/ksh</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497"
device="0"/>
<exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root"
rgid="other" pid="24069" sid="3539585011" tid="11953 196630
spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST
2007" msec="614">
<path>/etc/security/sox_baseline</path>
<attribute mode="100755" uid="root" gid="other" fsid="136"
nodeid="64371" device="0"/>
<exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root"
rgid="other" pid="24069" sid="3539585011" tid="11953 196630
spa.example.com"/>
<return errval="success" retval="0"/>
</record>


--
Crist J. Clark | cjclark@xxxxxxxxxxxx



Relevant Pages

  • Re: telnet as root question
    ... >> make securetty tell telnet and SSH apart? ... >login program after opening the pts. ... >check securetty to know if root login is allowed. ...
    (comp.os.linux.security)
  • Re: How to seize control of user terminal?
    ... >> 3) Come home and realize SSH task is still running, ... If I am using a shell on a campus ... can the root account snoop my terminal session? ...
    (comp.unix.shell)
  • Re: BSM, SSH, and Session ID
    ... I can't recall how Sun SSH on Solaris 9 behaves but recent versions of Sun SSH/OpenSSH should fork off before the login because the sshd process that a user is connected to after authentication runs with their privileges, ... It should always be a different session, even if the user login is root. ...
    (Focus-SUN)
  • RE: Login restrictions in NIS environment
    ... to ban root from logging in remotely except from certain IP addresses. ... but it does not allow root to login even from ... > stack is called by both login and ssh access. ...
    (RedHat)
  • Re: ssh to remote machine with user login problem
    ... > machine.When i login as root ssh to remote machoine will work without ... You need to copy the 'authorized_keys' file from the ssh directory of the root ...
    (Debian-User)