Hi Steve,
Thanks for your help. I will see about getting this into my RHEL6
system one way or another.
V/r,
Bryan
On Mon, Apr 18, 2016 at 12:31 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
> Okay here goes. I must have a simple misunderstanding or I may be
> doing something wrong.
>
> When I do the below three commands the auid shown back to me is not
> the same from all the commands, but it's the same event. In the first
> aureport I'm getting back an auid of zero for root. In the second
> aureport I get back my teammate's auid. Also in the ausearch for the
> specific event I get my teammate's auid. I would expect my teammate's
> auid across all but that's not what I see.
>
> It seems the first aureport replaces the auid with uid.
This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
package.
https://fedorahosted.org/audit/changeset/1047
-Steve
> Can anyone point me in the right direction to get my expected results
> working? I'm happy to share audit.rules and/or PAM configuration,
> although they appear to be the result of someone following the
> standard security guidelines.
>
> The Red Hat support people have pointed me to "Chapter 7. System
> Auditing" which I am happy to read. However, I already stumbled upon
> "7.8. Creating Audit Reports" and I didn't see anything that helped me
> out.
>
> Here are the commands.
>
> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Report
> ============================================
> # date time auid host term exe success event
> ============================================
> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
>
> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Summary Report
> ============================
> total auid
> ============================
> 1 849603
>
> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
> 04/13/2016 17:02:06
> ----
> time->Wed Apr 13 17:02:06 2016
> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
> uid=0 auid=849603 ses=4572
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
> terminal=/dev/pts/2 res=success'