7:27 a.m.
Hello all,
I joined the mailing list but have not received the confirmation email
yet. Please include me in the reply if you don't mind.
Okay here goes. I must have a simple misunderstanding or I may be
doing something wrong.
When I do the below three commands the auid shown back to me is not
the same from all the commands, but it's the same event. In the first
aureport I'm getting back an auid of zero for root. In the second
aureport I get back my teammate's auid. Also in the ausearch for the
specific event I get my teammate's auid. I would expect my teammate's
auid across all but that's not what I see.
It seems the first aureport replaces the auid with uid.
Can anyone point me in the right direction to get my expected results
working? I'm happy to share audit.rules and/or PAM configuration,
although they appear to be the result of someone following the
standard security guidelines.
The Red Hat support people have pointed me to "Chapter 7. System
Auditing" which I am happy to read. However, I already stumbled upon
"7.8. Creating Audit Reports" and I didn't see anything that helped me
out.
Here are the commands.
$ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Report
============================================
# date time auid host term exe success event
============================================
1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
$ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Summary Report
============================
total auid
============================
1 849603
$ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
04/13/2016 17:02:06
----
time->Wed Apr 13 17:02:06 2016
type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
uid=0 auid=849603 ses=4572
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
terminal=/dev/pts/2 res=success'
V/r,
Bryan
11:31 a.m.
On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
Okay here goes. I must have a simple misunderstanding or I may be
doing something wrong.
When I do the below three commands the auid shown back to me is not
the same from all the commands, but it's the same event. In the first
aureport I'm getting back an auid of zero for root. In the second
aureport I get back my teammate's auid. Also in the ausearch for the
specific event I get my teammate's auid. I would expect my teammate's
auid across all but that's not what I see.
It seems the first aureport replaces the auid with uid.
This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
package.
https://fedorahosted.org/audit/changeset/1047
-Steve
Can anyone point me in the right direction to get my expected
results
working? I'm happy to share audit.rules and/or PAM configuration,
although they appear to be the result of someone following the
standard security guidelines.
The Red Hat support people have pointed me to "Chapter 7. System
Auditing" which I am happy to read. However, I already stumbled upon
"7.8. Creating Audit Reports" and I didn't see anything that helped me
out.
Here are the commands.
$ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Report
============================================
# date time auid host term exe success event
============================================
1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
$ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Summary Report
============================
total auid
============================
1 849603
$ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
04/13/2016 17:02:06
----
time->Wed Apr 13 17:02:06 2016
type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
uid=0 auid=849603 ses=4572
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
terminal=/dev/pts/2 res=success'
11:52 a.m.
Hi Steve,
Thanks for your help. I will see about getting this into my RHEL6
system one way or another.
V/r,
Bryan
On Mon, Apr 18, 2016 at 12:31 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
> Okay here goes. I must have a simple misunderstanding or I may be
> doing something wrong.
>
> When I do the below three commands the auid shown back to me is not
> the same from all the commands, but it's the same event. In the first
> aureport I'm getting back an auid of zero for root. In the second
> aureport I get back my teammate's auid. Also in the ausearch for the
> specific event I get my teammate's auid. I would expect my teammate's
> auid across all but that's not what I see.
>
> It seems the first aureport replaces the auid with uid.
This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
package.
https://fedorahosted.org/audit/changeset/1047
-Steve
> Can anyone point me in the right direction to get my expected results
> working? I'm happy to share audit.rules and/or PAM configuration,
> although they appear to be the result of someone following the
> standard security guidelines.
>
> The Red Hat support people have pointed me to "Chapter 7. System
> Auditing" which I am happy to read. However, I already stumbled upon
> "7.8. Creating Audit Reports" and I didn't see anything that helped me
> out.
>
> Here are the commands.
>
> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Report
> ============================================
> # date time auid host term exe success event
> ============================================
> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
>
> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Summary Report
> ============================
> total auid
> ============================
> 1 849603
>
> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
> 04/13/2016 17:02:06
> ----
> time->Wed Apr 13 17:02:06 2016
> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
> uid=0 auid=849603 ses=4572
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
> terminal=/dev/pts/2 res=success'
3482
days inactive
3486
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Bryan Harris -
Steve Grubb