Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Sun
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

BSM, SSH, and Session ID

from [Crist J. Clark] Network Security [Permanent Link]
Subject: BSM, SSH, and Session ID
Date: Mon, 22 Jan 2007 15:35:40 -0800 
I am trying to write a script that does the following:

        1) Finds all root logins and su's to root.
        2) Tracks all commands run after that login.
        3) Associates each command with its login.

Sounds easy, huh? Devil's in the details.

Current method of attack is to find all of the su's and logins,
and save the session ID. Then I can go through and pick out the
'exec' events with that session ID and run as root. My old
method was to follow all of the forks from a login. It was not
pretty, but seemed to work most of the time. I thought following
session IDs would be more robust and less error prone.

But I have a audit trail here that is confounding my best
efforts. What we have is a "forced" SSH command. There are a
few problems with the trail. First, it looks like it starts
forking children before the login. Second, the login has a
different session ID than its children. I'm a bit confused
about what is going on here. Here's the audit trail. It's in
XML format. I find that easier to read with the labels.

What's killing me is that the login (the 'login - ssh' event)
has a different session ID that its children (the 'exec(2)'
of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I
need to revert to my old method? This is Solaris 9 using
the Sun SSH daemon.


<?xml version='1.0' encoding='UTF-8' ?>
<?xml-stylesheet type='text/xsl' 
href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?>

<!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' 
'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'>

<audit>
<file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file>
<record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" 
msec="731">
<argument arg-num="0" value="0x5e02" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" 
msec="732">
<path>/usr/bin/sh</path>
<attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" 
device="0"/>
<exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" 
msec="741">
<argument arg-num="0" value="0x5e03" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" 
msec="764">
<path>/usr/bin/locale</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" 
device="0"/>
<exec_args><arg>/usr/bin/locale</arg><arg>-a
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" 
msec="800">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" 
msec="801">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" 
msec="548">
<argument arg-num="0" value="0x5e04" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 
10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST 
2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="auditon(2) - get audit policy flags" time="Thu Jan 
11 10:46:21 PST 2007" msec="557">
<subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" 
pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST 2007" 
msec="568">
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" 
pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" 
msec="583">
<argument arg-num="0" value="0x5e05" desc="child PID"/>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" 
pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" 
msec="598">
<path>/usr/bin/ksh</path>
<attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" 
device="0"/>
<exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" 
pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
<record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" 
msec="614">
<path>/etc/security/sox_baseline</path>
<attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" 
device="0"/>
<exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline
</arg></exec_args>
<subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" 
pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/>
<return errval="success" retval="0"/>
</record>
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Solaris 2.7 Daylight saving time fix., Casper . Dik
Next by Date:  RE: Solaris 2.7 Daylight saving time fix., Levenglick, Jeff
Previous by Thread:  Solaris 2.7 Daylight saving time fix., lcashdol
Next by Thread:  Re: BSM, SSH, and Session ID, Jalex
Indexes:  [Date] [Thread] [Top] [All Lists]