RE: questions about auditing on a new RH 6 box
On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
There are LOTS of the following:
01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
comm=escd, egid=bill.tangren, euid=bill.tangren,
exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
tty=none, uid=bill.tangren
There are also some like this, but syscall=open instead.
During this time, I am logged in to a GUI, but the screensaver has
activated, and I am doing nothing. No one else has an account.
Well, herein lies the rub...the audit rules you have in place are doing
their job.
:)
The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.
Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary
Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd
You will likely want to use aureport/ausearch just because they are
faster than the audit-viewer. But it is possible to use it...
HTH,
LCB