From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?iso-8859-2?Q?Damian_Tyka=B3owski?= Subject: Problem with watching power commands - key is not logged Date: Sat, 28 Jan 2017 13:16:19 +0100 Message-ID: <00bd01d27960$5598e330$00caa990$@gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7545347709431841002==" Return-path: Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v0SCGMvS002544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 28 Jan 2017 07:16:22 -0500 Received: from mail-lf0-f45.google.com (mail-lf0-f45.google.com [209.85.215.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5D8CD61B9B for ; Sat, 28 Jan 2017 12:16:20 +0000 (UTC) Received: by mail-lf0-f45.google.com with SMTP id x1so87577048lff.0 for ; Sat, 28 Jan 2017 04:16:19 -0800 (PST) Received: from asus (host26-89-206-27.limes.com.pl. [89.206.27.26]) by smtp.gmail.com with ESMTPSA id 9sm2064414ljg.33.2017.01.28.04.16.16 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 28 Jan 2017 04:16:16 -0800 (PST) Content-Language: pl List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multipart message in MIME format. --===============7545347709431841002== Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BE_01D27968.B75D4B30" Content-Language: pl This is a multipart message in MIME format. ------=_NextPart_000_00BE_01D27968.B75D4B30 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit Hi I'm struggling to get proper auditing of usage of power commands, here's what I've got in rules [root@host01 ~]# cat /etc/audit/audit.rules | grep power -w /sbin/shutdown -p rwx -k power -w /sbin/poweroff -p rwx -k power -w /sbin/reboot -p rwx -k power -w /sbin/halt -p rwx -k power -w shutdown -p rwx -k power -w poweroff -p rwx -k power -w reboot -p rwx -k power -w halt -p rwx -k power However despite full host reboot/refreshing rules I'm not getting events with proper key "power" [root@host01 ~]# cat /var/log/audit/audit.log | grep power Events are logged though but without key type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' Any idea what is wrong? Rules with other keys seems to work. ------=_NextPart_000_00BE_01D27968.B75D4B30 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable

Hi

 

I’m struggling to get proper auditing of usage of = power commands, here’s what I’ve got in = rules

 

[root@host01 ~]# cat /etc/audit/audit.rules | grep = power

-w = /sbin/shutdown -p rwx -k power

-w /sbin/poweroff -p rwx -k = power

-w = /sbin/reboot -p rwx -k power

-w /sbin/halt -p rwx -k = power

-w = shutdown -p rwx -k power

-w poweroff -p rwx -k power

-w reboot -p rwx -k = power

-w = halt -p rwx -k power

 

However despite full host reboot/refreshing rules I’m = not getting events with proper key = “power”

 

[root@host01 ~]# cat /var/log/audit/audit.log | grep = power

<empty>

 

Events are logged though but = without key

 

type=3DUSER_CMD msg=3Daudit(1485604576.755:679): pid=3D3490 = uid=3D5004 auid=3D5004 ses=3D1 = subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 = msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" = terminal=3Dpts/0 res=3Dsuccess'

type=3DUSER_CMD = msg=3Daudit(1485604729.923:658): pid=3D3428 uid=3D5004 auid=3D5004 = ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 = msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" = terminal=3Dpts/0 res=3Dsuccess'

 

Any idea what is wrong? Rules with = other keys seems to work…

------=_NextPart_000_00BE_01D27968.B75D4B30-- --===============7545347709431841002== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7545347709431841002==--