Re: ausearch errors (audit 0.8)
On Friday 13 May 2005 16:34, Daniel H. Jones wrote:
ausearch -p 0 returns records that do not have a pid of 0.
It turns out I was init'ing the structure to 0 and changing it as I parsed.
If there was no change, it was still zero. Its fixed now, Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -ul 0 returns records that do not have a login uid of 0.
Same
ausearch -ua xxx does not find records with a uid or effective uid of
xxx.
It was "anding" the uid's in the search. They should be or'ed. Will fix.
Thanks.
ausearch -x /bin/chmod does not find records containing the
executable
name.
type=USER msg=audit(1116014701.834:0): user pid=7653 uid=0 length=132
loginuid=503 msg='PAM session open: user=ausrch_u exe=/usr/sbin/sshd
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh
result=Success)'
pam has to be modified to escape the exe name. It should be out next week. Pam
needs work to update to the new message types in addition.
-Steve