On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
Okay here goes. I must have a simple misunderstanding or I may be
doing something wrong.
When I do the below three commands the auid shown back to me is not
the same from all the commands, but it's the same event. In the first
aureport I'm getting back an auid of zero for root. In the second
aureport I get back my teammate's auid. Also in the ausearch for the
specific event I get my teammate's auid. I would expect my teammate's
auid across all but that's not what I see.
It seems the first aureport replaces the auid with uid.
This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
package.
https://fedorahosted.org/audit/changeset/1047
-Steve
Can anyone point me in the right direction to get my expected
results
working? I'm happy to share audit.rules and/or PAM configuration,
although they appear to be the result of someone following the
standard security guidelines.
The Red Hat support people have pointed me to "Chapter 7. System
Auditing" which I am happy to read. However, I already stumbled upon
"7.8. Creating Audit Reports" and I didn't see anything that helped me
out.
Here are the commands.
$ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Report
============================================
# date time auid host term exe success event
============================================
1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
$ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
Login Summary Report
============================
total auid
============================
1 849603
$ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
04/13/2016 17:02:06
----
time->Wed Apr 13 17:02:06 2016
type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
uid=0 auid=849603 ses=4572
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
terminal=/dev/pts/2 res=success'