RE: questions about auditing on a new RH 6 box

-----Original Message----- From: LC Bruzenak [mailto:lenny@magitekltd.com] Sent: Friday, January 14, 2011 12:35 PM To: Tangren, Bill Cc: linux-audit(a)redhat.com Subject: RE: questions about auditing on a new RH 6 box Probably can use a sampling of events as well. LCB -- LC (Lenny) Bruzenak lenny(a)magitekltd.com Here are more logs (from /var/log/audit/audit.log): type=CWD msg=audit(1295028176.635:718007): cwd="/usr/lib64/esc-1.1.0" type=PATH msg=audit(1295028176.635:718007): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 type=PATH msg=audit(1295028176.635:718007): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0 type=SYSCALL msg=audit(1295028177.287:718008): arch=c000003e syscall=133 success=yes exit=0 a0=7f5828f08bf0 a1=11a4 a2=0 a3=ffffffeb items=2 ppid=1 pid=28374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=139 comm="escd" exe="/usr/lib64/esc-1.1.0/escd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1295028177.287:718008): cwd="/usr/lib64/esc-1.1.0" type=PATH msg=audit(1295028177.287:718008): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 type=PATH msg=audit(1295028177.287:718008): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0 type=SYSCALL msg=audit(1295028177.742:718009): arch=c000003e syscall=2 success=yes exit=3 a0=7fff05d84891 a1=0 a2=0 a3=60 items=1 ppid=28453 pid=29995 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=139 comm="tail" exe="/usr/bin/tail" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="LOG_audit" type=CWD msg=audit(1295028177.742:718009): cwd="/root" type=PATH msg=audit(1295028177.742:718009): item=0 name="/var/log/audit/audit.log" inode=203 dev=fd:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_log_t:s0 type=SYSCALL msg=audit(1295028177.939:718010): arch=c000003e syscall=133 success=yes exit=0 a0=7f5828f08bf0 a1=11a4 a2=0 a3=ffffffeb items=2 ppid=1 pid=28374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=139 comm="escd" exe="/usr/lib64/esc-1.1.0/escd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1295028177.939:718010): cwd="/usr/lib64/esc-1.1.0" type=PATH msg=audit(1295028177.939:718010): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 type=PATH msg=audit(1295028177.939:718010): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0 I think that some of this is capturing that I was using the tail command to capture some of the logs to email to myself to post here. Obviously that isn't typical, but hopefully there is some useful information here. Oh, and my uid and gid are both 500. Bill