how to find ssh key in audit log file?
Clash Royale CLAN TAG#URR8PPP
i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106
ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo
On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:
type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'
purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).
format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!
linux ssh security linux-audit cloud
|
show 1 more comment
i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106
ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo
On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:
type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'
purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).
format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!
linux ssh security linux-audit cloud
The fingerprints probably do match, but you have them in two different formats.
– Kusalananda
Feb 20 at 9:07
appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda
– Francisco Sour
Feb 20 at 9:13
The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.
– Kusalananda
Feb 20 at 9:18
are you sure this is not server key ? not user ?
– Archemar
Feb 20 at 14:30
I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.
– Archemar
Feb 20 at 14:34
|
show 1 more comment
i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106
ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo
On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:
type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'
purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).
format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!
linux ssh security linux-audit cloud
i've created ssh key for connecting two host (client 192.168.4.107 and server 192.168.4.106). on client-machine i've run this command and ssh connection works:
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub oracle@192.168.4.106
ssh-keygen -lf /root/.ssh/id_rsa.pub -E md5
MD5:9a:3d:f7:c9:38:91:41:c7:8e:ca:a0:75:a2:51:b5:fm
ssh-keygen -lf /root/.ssh/id_rsa.pub -E sha256
2048 SHA256:9V6hDnLdq7heMYT2S54AHamAo9Bi8eQVa5oNa1dyHuo
On the server i'have enable auditing system and when i run the report (aureport -i) i receive a message like this:
type=CRYPTO_KEY_USER msg=audit(19/02/2019 12:35:42.590:1145) : pid=12444 uid=root auid=unset ses=unset subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:8a:99:38:f8:db:fd:02:52:76:ce:f8:c5:9a:ef:ef:47:98:23:fb:49:bf:c6:4b:de:e3:76:08:9c:f7:33:01:16 direction=? spid=12444 suid=root exe=/usr/sbin/sshd hostname=? addr=? terminal=? res=success'
purpose of activity is detect users login with audit system thanks ssh keys, the problem is that the two fingerprint key don't match (tracking ip is doesn't work, i work on cloud and ip is public and always the same for all users).
format of fingerprint key on SHA256 is realy different from Fp inside the audit.log file, in wich format is write fp key ?
where i wrong ?
thanks!
linux ssh security linux-audit cloud
linux ssh security linux-audit cloud
edited Feb 20 at 22:10
Francisco Sour
asked Feb 20 at 8:25
Francisco SourFrancisco Sour
364
364
The fingerprints probably do match, but you have them in two different formats.
– Kusalananda
Feb 20 at 9:07
appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda
– Francisco Sour
Feb 20 at 9:13
The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.
– Kusalananda
Feb 20 at 9:18
are you sure this is not server key ? not user ?
– Archemar
Feb 20 at 14:30
I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.
– Archemar
Feb 20 at 14:34
|
show 1 more comment
The fingerprints probably do match, but you have them in two different formats.
– Kusalananda
Feb 20 at 9:07
appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda
– Francisco Sour
Feb 20 at 9:13
The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.
– Kusalananda
Feb 20 at 9:18
are you sure this is not server key ? not user ?
– Archemar
Feb 20 at 14:30
I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.
– Archemar
Feb 20 at 14:34
The fingerprints probably do match, but you have them in two different formats.
– Kusalananda
Feb 20 at 9:07
The fingerprints probably do match, but you have them in two different formats.
– Kusalananda
Feb 20 at 9:07
appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda
– Francisco Sour
Feb 20 at 9:13
appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda
– Francisco Sour
Feb 20 at 9:13
The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.
– Kusalananda
Feb 20 at 9:18
The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.
– Kusalananda
Feb 20 at 9:18
are you sure this is not server key ? not user ?
– Archemar
Feb 20 at 14:30
are you sure this is not server key ? not user ?
– Archemar
Feb 20 at 14:30
I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.
– Archemar
Feb 20 at 14:34
I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.
– Archemar
Feb 20 at 14:34
|
show 1 more comment
1 Answer
1
active
oldest
votes
I explain my solution for detect activity change of users in a server on cloud. with the requirments below:
- client have private key with fingerprint in SHA256 x.x.x.x.x and is
enable ssh connection. - on the server is enable auditing system.
- is enable watch rules for specify folder, example /home/oracle/
for detect file modified, i follow the following steps, below an example:
ausearch -f
------------
20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770
770 is the number of event, thanks it i can find the session number:
ausearch -p | grep 770
----------------------
type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=modifica_fil
session number is 58, thanks it i can find pid of login session
ausearch -i | grep ses=58
---------------------------
type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
(none) old-ses=4294967295 ses=58 res=yes
pid of login is 8646, i can look finger print key used from a specified user in var/log/secure
cat secure | grep 8646
----------------------
sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
RSA SHA256:x.x.x.x.x
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501790%2fhow-to-find-ssh-key-in-audit-log-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I explain my solution for detect activity change of users in a server on cloud. with the requirments below:
- client have private key with fingerprint in SHA256 x.x.x.x.x and is
enable ssh connection. - on the server is enable auditing system.
- is enable watch rules for specify folder, example /home/oracle/
for detect file modified, i follow the following steps, below an example:
ausearch -f
------------
20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770
770 is the number of event, thanks it i can find the session number:
ausearch -p | grep 770
----------------------
type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=modifica_fil
session number is 58, thanks it i can find pid of login session
ausearch -i | grep ses=58
---------------------------
type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
(none) old-ses=4294967295 ses=58 res=yes
pid of login is 8646, i can look finger print key used from a specified user in var/log/secure
cat secure | grep 8646
----------------------
sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
RSA SHA256:x.x.x.x.x
add a comment |
I explain my solution for detect activity change of users in a server on cloud. with the requirments below:
- client have private key with fingerprint in SHA256 x.x.x.x.x and is
enable ssh connection. - on the server is enable auditing system.
- is enable watch rules for specify folder, example /home/oracle/
for detect file modified, i follow the following steps, below an example:
ausearch -f
------------
20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770
770 is the number of event, thanks it i can find the session number:
ausearch -p | grep 770
----------------------
type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=modifica_fil
session number is 58, thanks it i can find pid of login session
ausearch -i | grep ses=58
---------------------------
type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
(none) old-ses=4294967295 ses=58 res=yes
pid of login is 8646, i can look finger print key used from a specified user in var/log/secure
cat secure | grep 8646
----------------------
sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
RSA SHA256:x.x.x.x.x
add a comment |
I explain my solution for detect activity change of users in a server on cloud. with the requirments below:
- client have private key with fingerprint in SHA256 x.x.x.x.x and is
enable ssh connection. - on the server is enable auditing system.
- is enable watch rules for specify folder, example /home/oracle/
for detect file modified, i follow the following steps, below an example:
ausearch -f
------------
20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770
770 is the number of event, thanks it i can find the session number:
ausearch -p | grep 770
----------------------
type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=modifica_fil
session number is 58, thanks it i can find pid of login session
ausearch -i | grep ses=58
---------------------------
type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
(none) old-ses=4294967295 ses=58 res=yes
pid of login is 8646, i can look finger print key used from a specified user in var/log/secure
cat secure | grep 8646
----------------------
sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
RSA SHA256:x.x.x.x.x
I explain my solution for detect activity change of users in a server on cloud. with the requirments below:
- client have private key with fingerprint in SHA256 x.x.x.x.x and is
enable ssh connection. - on the server is enable auditing system.
- is enable watch rules for specify folder, example /home/oracle/
for detect file modified, i follow the following steps, below an example:
ausearch -f
------------
20/02/2019 16:37:00 /home/oracle/.bash_history 2 yes /usr/bin/bash 54321 770
770 is the number of event, thanks it i can find the session number:
ausearch -p | grep 770
----------------------
type=SYSCALL msg=audit(20/02/2019 16:37:00.868:770) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x10bd080 a1=O_WRONLY|O_APPEND a2=0x180 a3=0x0 items=1
ppid=8649 pid=8650 auid=oracle uid=oracle gid=oinstall euid=oracle suid=oracle
fsuid=oracle egid=oinstall sgid=oinstall fsgid=oinstall tty=pts1 ses=58
comm=bash exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-
s0:c0.c1023 key=modifica_fil
session number is 58, thanks it i can find pid of login session
ausearch -i | grep ses=58
---------------------------
type=LOGIN msg=audit(20/02/2019 16:34:37.366:747) : pid=8646 uid=root
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=unset auid=oracle tty=
(none) old-ses=4294967295 ses=58 res=yes
pid of login is 8646, i can look finger print key used from a specified user in var/log/secure
cat secure | grep 8646
----------------------
sshd[8646]: Accepted publickey for oracle from 192.168.4.107 port 58892 ssh2:
RSA SHA256:x.x.x.x.x
edited Feb 21 at 11:16
answered Feb 20 at 16:04
Francisco SourFrancisco Sour
364
364
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f501790%2fhow-to-find-ssh-key-in-audit-log-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The fingerprints probably do match, but you have them in two different formats.
– Kusalananda
Feb 20 at 9:07
appear that MD5 is very similar to fp inside alert log, but is explain that format is SHA256 and the key don't match @Kusalananda
– Francisco Sour
Feb 20 at 9:13
The SHA256 keys may still be the same, but the format that is used differ. You just have find a way of getting either fingerprint in the other format. I'm not by a computer ATM, so I can't look this up right now. Also, the MD5 fingerprint is irrelevant.
– Kusalananda
Feb 20 at 9:18
are you sure this is not server key ? not user ?
– Archemar
Feb 20 at 14:30
I am not familiar with audit tools, however by looking at /var/log/messages, I manage to retreive my sha256 fingerprint.
– Archemar
Feb 20 at 14:34