5. Where can I find the logs?
auditd
The Linux audit framework provides a CAPP-compliant (Controlled Access Protection Profile) auditing system that reliably collects information about any security-relevant (or non-security-relevant) event on a system.1
auditd is the auditing daemon, and it logs (in nearly all cases I know of) to /var/log/audit/audit.log
.
auditd is not exclusively used by SELinux, many security-critical services output to this, so it will be necessary for us to filter the messages related to our concerns.
Examining the logs on our Lab host
With what we have setup in the previous steps we should now have
- A system running SELinux in permissive mode (where it logs the violations but does not block them from occuring yet)
- A remote shell connected in via SSH, with the following SELinux context applied:
[ec2-user ~]$ secon
user: user_u
role: user_r
type: user_t
sensitivity: s0
clearance: s0
mls-range: s0 - A reverse-shell connected to the host through the AWS SSM agent, with the following SELinux context applied:note, that we can see there are no constraints on this process (as is seen by highlighted rows above), as we have not entered the host via SSH, this is intentional.
[ssm-user ~]$ secon
user: system_u
role: system_r
type: unconfined_service_t
sensitivity: s0
clearance: s0
mls-range: s0
If we now run the following command in the shell that SSH has facilitated for us (you'll need to sudo su to become root before tailing this):
[root ~]# tail -n0 -f /var/log/audit/audit.log
At first here we'll see nothing as the -n0
argument is saying we don't want any trailing information, just new stuff. The -f
argument tails that file for new changes and will output them.
In the other shell we have, if you now try to assume root via something like
[ec2-user ~]$ sudo su
We will see all the following lines in auditd logs:
Output of tailing /var/log/audit/audit.log when we type sudo su
type=AVC msg=audit(1668988444.803:150): avc: denied { setuid } for pid=3543 comm="sudo" capability=7
scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability permissive=1
type=USER_ACCT msg=audit(1668988444.843:151): pid=3543 uid=1000 auid=1000 ses=2 subj=user_u:user_r:user_
t:s0 msg='op=PAM:accounting grantors=pam_unix acct="ec2-user" exe="/usr/bin/sudo" hostname=? addr=? term
inal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1668988444.843:152): pid=3543 uid=1000 auid=1000 ses=2 subj=user_u:user_r:user_t
:s0 msg='cwd="/home/ec2-user" cmd="su" terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1668988444.843:153): pid=3543 uid=0 auid=1000 ses=2 subj=user_u:user_r:user_t:s
0 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? termin
al=/dev/pts/1 res=success'
type=USER_START msg=audit(1668988444.847:154): pid=3543 uid=0 auid=1000 ses=2 subj=user_u:user_r:user_t:
s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root"
exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1668988444.851:155): avc: denied { create } for pid=3545 comm="su" scontext=user_u
:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=netlink_selinux_socket permissive=1
type=AVC msg=audit(1668988444.851:156): avc: denied { bind } for pid=3545 comm="su" scontext=user_u:u
ser_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=netlink_selinux_socket permissive=1
type=USER_AVC msg=audit(1668988444.855:157): pid=3545 uid=0 auid=1000 ses=2 subj=user_u:user_r:user_t:s0
msg='avc: denied { passwd } for scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tc
lass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=pts/1'
type=USER_AUTH msg=audit(1668988444.855:158): pid=3545 uid=0 auid=1000 ses=2 subj=user_u:user_r:user_t:s
0 msg='op=PAM:authentication grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=ip-172-31-5-255.
us-west-2.compute.internal addr=? terminal=pts/1 res=success'
type=USER_ACCT msg=audit(1668988444.855:159): pid=3545 uid=0 auid=1000 ses=2 subj=user_u:user_r:user_t:s
0 msg='op=PAM:accounting grantors=pam_succeed_if acct="root" exe="/usr/bin/su" hostname=ip-172-31-5-255.
us-west-2.compute.internal addr=? terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1668988444.855:160): pid=3545 uid=0 auid=1000 ses=2 subj=user_u:user_r:user_t:s0
msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=ip-172-31-5-255.us-west-
2.compute.internal addr=? terminal=pts/1 res=success'
type=AVC msg=audit(1668988444.855:161): avc: denied { read write } for pid=3545 comm="su" name="lastl
og" dev="xvda1" ino=12918534 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tc
lass=file permissive=1
type=AVC msg=audit(1668988444.855:161): avc: denied { open } for pid=3545 comm="su" path="/var/log/la
stlog" dev="xvda1" ino=12918534 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:lastlog_t:s0
tclass=file permissive=1
type=AVC msg=audit(1668988444.855:162): avc: denied { lock } for pid=3545 comm="su" path="/var/log/la
stlog" dev="xvda1" ino=12918534 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:lastlog_t:s0
tclass=file permissive=1
type=AVC msg=audit(1668988444.855:163): avc: denied { read } for pid=3545 comm="su" name="btmp" dev="
xvda1" ino=12940222 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1668988444.855:163): avc: denied { open } for pid=3545 comm="su" path="/var/log/bt
mp" dev="xvda1" ino=12940222 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:faillog_t:s0 tc
lass=file permissive=1
type=USER_START msg=audit(1668988444.855:164): pid=3545 uid=0 auid=1000 ses=2 subj=user_u:user_r:user_t:
s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" e
xe="/usr/bin/su" hostname=ip-172-31-5-255.us-west-2.compute.internal addr=? terminal=pts/1 res=success'
type=AVC msg=audit(1668988444.859:165): avc: denied { dac_read_search } for pid=3546 comm="bash" capa
bility=2 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability permissive
=1
type=AVC msg=audit(1668988444.859:166): avc: denied { read } for pid=3546 comm="bash" name=".bashrc"dev="xvda1" ino=302930 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668988444.859:166): avc: denied { open } for pid=3546 comm="bash" path="/root/.bashrc" dev="xvda1" ino=302930 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file permissive=1
The types of log lines that are of interest to us here are AVC
and USER_AVC
(highlighted above), AVC stands for Access Vector Cache, and we will go into more details on this in the following section of the course. The former type is for kernel-land events, and the later type is for user-land events.2
We're running in permissive
moded currently so we see all the levels of blocks that would occur, but if we were running in enforcing
mode it would not get past the attempt to use the setuid
syscall3.
Filtering just to AVC events with ausearch
The auditd search tool is called ausearch
you can filter for the SELinux AVC events via:
# ausearch -m avc,user_avc
and if we want to filter even further for just our setuid
denial, we could do something like:
# ausearch -m avc,user_avc -sv no | grep setuid
which is looking for AVC denials and then grepping for setuid4.
- https://wiki.archlinux.org/title/Audit_framework↩
- https://selinuxproject.org/page/NB_AL↩
- setuid(2)↩
- Note, there is a flag
-sc
that is supposed to filterausearch
by SysCall name or number, I've tried the name, decimal and hex and not had success with it.↩