Re: ausearch with message types does not return what I think it would return. (0 matches when adding a user)
On Tuesday, June 30, 2015 03:12:40 PM Alarie, Maxime wrote:
I am new with auditd, and got some issues..
For example, When I add or delete a user, I cannot see the entry with
ausearch -m ADD_USER, it returns 0 match, BUT its logging it under
USER_AUTH. If I do a ausearch -x adduser, ill thee se event audit.log with
the EXECVE Type:
# ausearch -x useradd | grep titi
type=EXECVE msg=audit(1435677075.900:49410): argc=2 a0="useradd"
a1="titi"
I also tried to find a full description of all message types returned by
ausearch -m but could not find any.. Any help on this would be
appreciated as well.
I think we discovered that shadow-utils had messed up the auditing pretty
badly a few months ago. It caused me to write a document[1] that outlines how
its supposed to work so that we can check any and all implementations to make
sure they follow the standard. The shadow-utils in RHEL7.1 was patched to be
correct and I presume the patch should be upstream by now.
So, I believe that is what you are seeing. Shadow-utils is a horrible piece of
code for auditing because there are about 320 places that have audit events
generated. I think upstream made it a little better, but its a huge problem
because all those events have to be correct...and they weren't.
-Steve
[1] - http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt