[Kernel] Audit ssh

PengouinPdt · Février 21, 2016, 9:50pm

Bonjour,

Ce matin, dans le rapport logwatch de mon serveur, j’ai le message suivant :

De ce que je comprends, c’est un message d’audit du kernel à-propos du service ssh.
L’uid correspond bien …

Mais que dois-je comprendre d’autres, et surtout d’important ?

Dunatotatos · Février 21, 2016, 9:50pm

C’est un peu court comme descriptif… De quel fichier log cette ligne vient-elle ? Qu’y a-t-il avant et après ?

J’ai eu quelques-fois de tels messages. Ils étaient dus à des paquets mal formés arrivant sur le service ssh. C’est possible que ton problème soit le même ici. Mais juste avec cette ligne, impossible d’en être sûr.

PengouinPdt · Février 21, 2016, 9:50pm

Beh, c’est le retour de logwatch - je n’ai que cette ligne :

[quote]Kernel Audit
Unmatched Entries
audit: type=1326 audit(1439670179.664:2): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=41414 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f708cba9797 code=0x0 [/quote]

Je pensais que c’était dans le fichier log du kernel, ou système, voire les messages … mais je ne trouve rien !

[quote]# grep “audit|ssh” /var/log/kern.log

grep “audit|ssh” /var/log/kern.log.1

grep “audit|ssh” /var/log/syslog

grep “audit|ssh” /var/log/syslog.1

grep “audit|ssh” /var/log/messages

grep “audit|ssh” /var/log/messages.1

#[/quote]

Dunatotatos · Février 21, 2016, 9:50pm

Dans /var/log/audit/ ?

debianhadic · Février 21, 2016, 9:50pm

Essaye :

# grep -nir "audit|ssh" /var/log/.

PengouinPdt · Février 21, 2016, 9:50pm

@Dunatotatos: ce répertoire n’existe pas !

@debianhadic:

debianhadic · Février 21, 2016, 9:50pm

Utilise egrep ou grep -E pour pouvoir faire “|”

PengouinPdt · Février 21, 2016, 9:50pm

grep -nirE “audit” /var/log/

/var/log/kern.log:1:Aug 17 14:12:28 siou kernel: [1718747.855516] audit: type=1326 audit(1439813548.030:3): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=19318 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f881799d797 code=0x0
/var/log/kern.log:2:Aug 17 14:14:36 siou kernel: [1718876.471715] audit: type=1326 audit(1439813676.545:4): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=20501 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f0af0783797 code=0x0
/var/log/kern.log:3:Aug 17 14:30:32 siou kernel: [1719833.313174] audit: type=1326 audit(1439814632.631:5): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=30289 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f8a76dab797 code=0x0
/var/log/syslog:482:Aug 17 14:12:28 siou kernel: [1718747.855516] audit: type=1326 audit(1439813548.030:3): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=19318 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f881799d797 code=0x0
/var/log/syslog:485:Aug 17 14:14:36 siou kernel: [1718876.471715] audit: type=1326 audit(1439813676.545:4): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=20501 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f0af0783797 code=0x0
/var/log/syslog:503:Aug 17 14:30:32 siou kernel: [1719833.313174] audit: type=1326 audit(1439814632.631:5): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=30289 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f8a76dab797 code=0x0
/var/log/kern.log.1:51:Aug 15 22:22:59 siou kernel: [1575266.368797] audit: type=1326 audit(1439670179.664:2): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=41414 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f708cba9797 code=0x0
/var/log/rkhunter.log:1366:[07:37:24] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log:3114:[07:37:26] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.old:1368:[07:37:21] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.old:3266:[07:37:18] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.old:5014:[07:37:22] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.old:6762:[07:37:15] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.old:8510:[07:37:34] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.old:10262:[07:37:18] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/messages.1:119:Aug 15 22:22:59 siou kernel: [1575266.368797] audit: type=1326 audit(1439670179.664:2): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=41414 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f708cba9797 code=0x0
/var/log/messages:22:Aug 17 14:12:28 siou kernel: [1718747.855516] audit: type=1326 audit(1439813548.030:3): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=19318 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f881799d797 code=0x0
/var/log/messages:23:Aug 17 14:14:36 siou kernel: [1718876.471715] audit: type=1326 audit(1439813676.545:4): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=20501 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f0af0783797 code=0x0
/var/log/messages:24:Aug 17 14:30:32 siou kernel: [1719833.313174] audit: type=1326 audit(1439814632.631:5): auid=4294967295 uid=113 gid=65534 ses=4294967295 pid=30289 comm=“sshd” exe="/usr/sbin/sshd" sig=31 syscall=121 compat=0 ip=0x7f8a76dab797 code=0x0
/var/log/popularity-contest:22:1439510400 1430136000 libaudit1 /lib/x86_64-linux-gnu/libaudit.so.1.0.0
/var/log/popularity-contest:585:0 0 libaudit-common
/var/log/rkhunter.log.1:1366:[07:37:23] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.1:3260:[07:37:19] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.1:5006:[07:37:18] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.1:6752:[07:37:22] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.1:8498:[07:37:35] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/rkhunter.log.1:10244:[07:37:19] Checking for file ‘/usr/include/audit.h’ [ Not found ]
/var/log/popularity-contest.0:15:1438905600 1430136000 libaudit1 /lib/x86_64-linux-gnu/libaudit.so.1.0.0
/var/log/popularity-contest.0:688:0 0 libaudit-common
/var/log/installer/cdebconf/questions.dat:313: SUBST0 = acl adduser dmsetup insserv libaudit-common libaudit1 libbz2-1.0 libcap2 libcap2-bin libcryptsetup4 libdb5.3 libdebconfclient0 libdevmapper1.02.1 libgcrypt20 libgpg-error0 libkmod2 libncursesw5 libprocps3 libsemanage-common libsemanage1 libslang2 libsystemd0 libudev1 libustr-1.0-1 procps systemd systemd-sysv udev
/var/log/installer/cdebconf/templates.dat:30416:Choices-ca.UTF-8: Afganistan, Bahrain, Bangla Desh, Bhutan, Brunei (Negara Brunei Darussalam), Cambodja, Xina, Hong Kong, Índia, Indonèsia, Iran, Iraq, Israel, Japó, Jordània, Kazakhstan, Corea del Nord, Corea del Sud, Kuwait, Kirguizistan, República Democràtica Popular de Laos, Líban, Macau, Malàisia, Mongòlia, Myanmar, Nepal, Oman, Pakistan, Palestine, State of, Filipines, Qatar, Aràbia Saudita, Singapur, Sri Lanka, República Àrab Síria, Taiwan, Tadjikistan, Tailàndia, Timor Oriental, Turquia, Turkmenistan, Unió dels Emirats Àrabs, Uzbekistan, Vietnam, Iemen
/var/log/installer/cdebconf/templates.dat:30456:Choices-it.UTF-8: Afghanistan, Bahrein, Bangladesh, Bhutan, Brunei, Cambogia, Cina, Hong Kong, India, Indonesia, Iran, Iraq, Israele, Giappone, Giordania, Kazakistan, Corea del Nord, Corea del Sud, Kuwait, Kirghizistan, Laos, Libano, Macao, Malaysia, Mongolia, Myanmar, Nepal, Oman, Pakistan, Palestina, Stato di, Filippine, Qatar, Arabia Saudita, Singapore, Sri Lanka, Siria, Taiwan, Tagikistan, Thailandia, Timor orientale, Turchia, Turkmenistan, Emirati arabi uniti, Uzbekistan, Vietnam, Yemen
/var/log/installer/cdebconf/templates.dat:30484:Choices-pt.UTF-8: Afeganistão, Barein, Bangladesh, Butão, Brunei, Cambodja, China, Hong Kong, Índia, Indonésia, Irão, República Islâmica do, Iraque, Israel, Japão, Jordânia, Cazaquistão, Coreia, República Popular Democrática de , Coreia, República da, Kuwait, Quirgistão, República Democrática Popular do Laos, Líbano, Macau, Malásia, Mongólia, Myanmar, Nepal, Oman, Paquistão, Palestina, Autoridade da, Filipinas, Quatar, Arábia Saudita, Singapura, Sri Lanka, República Árabe Síria, Taiwan, Tadjaquistão, Tailândia, Timor-Leste, Turquia, Turcomenistão, Emirados Árabes Unidos, Uzbequistão, Vietname, Yémen
/var/log/installer/cdebconf/templates.dat:30486:Choices-pt_BR.UTF-8: Afeganistão, Barein, Bangladesh, Butão, Brunei, Camboja, China, Hong Kong, Índia, Indonésia, Irã, República Islâmica do, Iraque, Israel, Japão, Jordânia, Cazaquistão, Coreia, República Popular Democrática da, Coreia, República da, Kuwait, Quirguistão, República Popular Democrática do Laos, Líbano, Macau, Malásia, Mongólia, Myanmar, Nepal, Omã, Paquistão, Palestina, Estado da, Filipinas, Catar, Arábia Saudita, Cingapura, Sri Lanka, República Árabe da Síria, Taiwan, Tadjiquistão, Tailândia, Timor Leste, Turquia, Turcomenistão, Emirados Árabes Unidos, Uzbequistão, Vietnã, Iêmen
/var/log/installer/cdebconf/templates.dat:30488:Choices-ro.UTF-8: Afganistan, Bahrein, Bangladeș, Bhutan, Brunei, Cambogia, China, Hong Kong, India, Indonezia, Iran, Republica islamică, Irak, Israel, Japonia, Iordania, Kazakhstan, Republica democrată populară Coreea, Republica Coreea, Kuweit, Kârgâzstan, Republica populară democrată Lao, Liban, Macao, Malaezia, Mongolia, Myanmar, Nepal, Oman, Pakistan, Palestine, State of, Filipine, Qatar, Arabia Saudită, Singapore, Sri Lanka, Republica Araba Siria, Taiwan, Tajikistan, Tailanda, Timorul de Est, Turcia, Turkmenistan, Emiratele Arabe Unite, Uzbekistan, Vietnam, Yemen
/var/log/installer/cdebconf/templates.dat:30500:Choices-sq.UTF-8: Afganistani, Bahrain, Bangladesh, Bhutan, Brunei Darussalam, Kamboxhia, Kina, Hong Kong, India, Indonezia, Republika Islamike e Iranit, Iraku, Izraeli, Japonia, Jordania, Kazakistan, Korea, Republika Popullore Demokratike e, Korea, Republika e, Kuvajti, Kirgistani, Republika Demokratike Popullore e Laosit, Libani, Makao, Malajzia, Mongolia, Birmania, Nepali, Omani, Pakistani, Palestine, State of, Filipinet, Katari, Arabia Saudite, Singapori, Sri Lanka, Republika Arabe e Sirisë, Tajvani, Taxhikistani, Tajlanda, Timor-Leste, Turqia, Turkmenistani, Emiratet e Bashkuara Arabe, Uzbekistani, Vjet Nam, Yemen
/var/log/installer/syslog:414:Apr 27 16:08:53 kernel: [ 0.626298] audit: initializing netlink subsys (disabled)
/var/log/installer/syslog:415:Apr 27 16:08:53 kernel: [ 0.626342] audit: type=2000 audit(1430150932.516:1): initialized
/var/log/installer/syslog:1598:Apr 27 16:39:13 debootstrap: Selecting previously unselected package libaudit-common.
/var/log/installer/syslog:1599:Apr 27 16:39:13 debootstrap: Preparing to unpack …/libaudit-common_1%3a2.4-1_all.deb …
/var/log/installer/syslog:1600:Apr 27 16:39:13 debootstrap: Unpacking libaudit-common (1:2.4-1) …
/var/log/installer/syslog:1601:Apr 27 16:39:14 debootstrap: Selecting previously unselected package libaudit1:amd64.
/var/log/installer/syslog:1602:Apr 27 16:39:14 debootstrap: Preparing to unpack …/libaudit1_1%3a2.4-1+b1_amd64.deb …
/var/log/installer/syslog:1603:Apr 27 16:39:14 debootstrap: dpkg: regarding …/libaudit1_1%3a2.4-1+b1_amd64.deb containing libaudit1:amd64, pre-dependency problem:
/var/log/installer/syslog:1604:Apr 27 16:39:14 debootstrap: libaudit1 pre-depends on multiarch-support
/var/log/installer/syslog:1608:Apr 27 16:39:14 debootstrap: Unpacking libaudit1:amd64 (1:2.4-1+b1) …
/var/log/installer/syslog:1633:Apr 27 16:39:20 debootstrap: libpam-modules pre-depends on libaudit1 (>= 1:2.2.1)
/var/log/installer/syslog:1634:Apr 27 16:39:20 debootstrap: libaudit1:amd64 is unpacked, but has never been configured.
/var/log/installer/syslog:2184:Apr 27 16:40:27 debootstrap: login pre-depends on libaudit1 (>= 1:2.2.1)
/var/log/installer/syslog:2185:Apr 27 16:40:27 debootstrap: libaudit1:amd64 is unpacked, but has never been configured.
/var/log/installer/syslog:2229:Apr 27 16:40:31 debootstrap: Setting up libaudit-common (1:2.4-1) …
/var/log/installer/syslog:2253:Apr 27 16:40:38 debootstrap: Setting up libaudit1:amd64 (1:2.4-1+b1) …