From: LC Bruzenak <lenny@magitekltd.com>
To: "Tangren, Bill" <bill.tangren@usno.navy.mil>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: RE: questions about auditing on a new RH 6 box
Date: Fri, 14 Jan 2011 12:39:26 -0600 [thread overview]
Message-ID: <1295030366.2041.46.camel@lcb> (raw)
In-Reply-To: <BF796A1F2058044191F8440424A4212E01A64C8C@enid.usno.navy.mil>
On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
>
> There are LOTS of the following:
>
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
>
> There are also some like this, but syscall=open instead.
>
>
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account.
>
Well, herein lies the rub...the audit rules you have in place are doing
their job.
:)
The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.
Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary
Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd
You will likely want to use aureport/ausearch just because they are
faster than the audit-viewer. But it is possible to use it...
HTH,
LCB
next prev parent reply other threads:[~2011-01-14 18:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-14 16:21 questions about auditing on a new RH 6 box Tangren, Bill
2011-01-14 16:42 ` Eric Paris
2011-01-14 17:23 ` Tangren, Bill
2011-01-14 17:35 ` LC Bruzenak
2011-01-14 17:56 ` Tangren, Bill
2011-01-14 18:39 ` LC Bruzenak [this message]
2011-01-14 19:04 ` Tangren, Bill
2011-01-14 18:10 ` Tangren, Bill
2011-01-14 19:12 ` Steve Grubb
2011-01-14 19:26 ` Tangren, Bill
2011-01-14 19:57 ` Steve Grubb
2011-01-14 18:58 ` Steve Grubb
2011-01-14 19:07 ` Tangren, Bill
2011-01-14 19:24 ` LC Bruzenak
2011-01-14 19:27 ` Tangren, Bill
2011-01-14 19:39 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1295030366.2041.46.camel@lcb \
--to=lenny@magitekltd.com \
--cc=bill.tangren@usno.navy.mil \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.