How to make sure a specific event is logged with thge proper message type? - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

How to make sure a specific event is logged with thge proper message type?

[PATCH 1/1] Added exe field to...

ausearch with message types does...

Alarie, Maxime

Monday, 6 July 2015 Mon, 6 Jul '15

9:02 a.m.

Hi, I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modification When I add a user, and do a ausearch -m ADD_USER I get 0 match. Am I doing something wrong here? I am using version 1.8. Thanks

Attachments:

attachment.html (text/html — 2.7 KB)

Reply

Show replies by date

Boyce, Kevin P (AS)

Monday, 6 July Mon, 6 Jul

10:08 a.m.

OK this may be obvious but have you actually tried using useradd to create an account before running your ausearch? From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Alarie, Maxime Sent: Monday, July 06, 2015 10:03 AM To: linux-audit(a)redhat.com Subject: EXT :How to make sure a specific event is logged with thge proper message type? Hi, I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modification When I add a user, and do a ausearch -m ADD_USER I get 0 match. Am I doing something wrong here? I am using version 1.8. Thanks

Reply

Alarie, Maxime

10:29 a.m.

Thanks for the reply. Of course :) I also tried DEL_USER on a deleted user, and nothing gets logged under that type, also I never get the hostname and addr fileds filled up.. Its always hostname=? And addr=? Help is aprecited. De : Boyce, Kevin P (AS) [mailto:Kevin.Boyce@ngc.com] Envoyé : 6 juillet 2015 11:08 À : Alarie, Maxime; linux-audit(a)redhat.com Objet : RE: How to make sure a specific event is logged with thge proper message type? OK this may be obvious but have you actually tried using useradd to create an account before running your ausearch? From: linux-audit-bounces@redhat.com<mailto:linux-audit-bounces@redhat.com> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Alarie, Maxime Sent: Monday, July 06, 2015 10:03 AM To: linux-audit@redhat.com<mailto:linux-audit@redhat.com> Subject: EXT :How to make sure a specific event is logged with thge proper message type? Hi, I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modification When I add a user, and do a ausearch -m ADD_USER I get 0 match. Am I doing something wrong here? I am using version 1.8. Thanks

Reply

Steve Grubb

11:01 a.m.

On Monday, July 06, 2015 02:02:32 PM Alarie, Maxime wrote:

Hi, I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modification

Note that this rule will create a SYSCALL event. To find it later, you would run: ausearch --start today -k user_modification

When I add a user, and do a ausearch -m ADD_USER I get 0 match. Am I doing something wrong here? I am using version 1.8.

This event is a user space originating event and it depends on shadow-utils being correctly patched to generate the events specified in: http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt If it doesn't, you should file a bug report against the shadow-utils package of your distribution so that they know about the issue. -Steve

Reply

3456

days inactive

3456

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

3 comments

3 participants

tags (0)

participants (3)

Alarie, Maxime
Boyce, Kevin P (AS)
Steve Grubb