From mboxrd@z Thu Jan  1 00:00:00 1970
From: Warron S French <warron.s.french@aero.org>
Subject: audit-tools and SUDO
Date: Tue, 10 May 2016 12:31:19 +0000
Message-ID: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0118716398941390427=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com
	[10.5.110.39])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u4ACfZ74016246
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Tue, 10 May 2016 08:41:35 -0400
Received: from email3-east.aero.org (email3-east.aero.org [130.221.184.167])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id A4A3A6265D
	for <linux-audit@redhat.com>; Tue, 10 May 2016 12:41:33 +0000 (UTC)
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============0118716398941390427==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_BY1PR09MB088756540EEFEFF5B6F54862C7710BY1PR09MB0887namp_"

--_000_BY1PR09MB088756540EEFEFF5B6F54862C7710BY1PR09MB0887namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Good morning everyone,

I am working on an environment where I have managed to get centralized audi=
t logging to work - roughly 95% properly on six (6) CentOS-6.7 workstations=
 and a single (1) CentOS-6.7 server.

I have two problems though; and they seem somewhat minor:


1.       The audit events being captured don't seem to be tied to any given=
 node (so that I can perform ausearch --node hostName, or aureport), that's=
 the first issue.

2.       The second issue is that I need to configure sudo to enable my Spe=
cial Security Team with the ability to perform their duties using the aurep=
ort and the ausearch commands, but I get an error that appears to be based =
on permissions.

I am hoping that you guys can steer me in the correct direction; and I can =
update my documentation to be even a little more thorough.

Scenario2, might be more of a membership issue now that I think about it; s=
o please disregard as I think this is some weird 389-ds issue.

I am hoping though that someone can suggest a reason why, when I look direc=
tly at the content of the /var/log/audit/audit.log I am not see any referen=
ces to node=3Dhostname1, hostname2 .. hostnameN?  Maybe I did misconfigure =
something, but I followed my own instructions to the "T" and they didn't pr=
oduce this issue.



Thank you in advance for your precious time sincerely,

Warron French, MBA, SCSA

--_000_BY1PR09MB088756540EEFEFF5B6F54862C7710BY1PR09MB0887namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Helv;
	panose-1:2 11 6 4 2 2 2 3 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.5in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:1212107900;
	mso-list-type:hybrid;
	mso-list-template-ids:-863352964 67698703 67698713 67698715 67698703 67698=
713 67698715 67698703 67698713 67698715;}
@list l0:level1
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level2
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level3
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l0:level4
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level5
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level6
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l0:level7
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level8
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level9
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Good morning everyone,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">I am working on an environment where I have managed =
to get centralized audit logging to work &#8211; roughly 95% properly on si=
x (6) CentOS-6.7 workstations and a single (1) CentOS-6.7 server.<o:p></o:p=
></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">I have two problems though; and they seem somewhat m=
inor:<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">1.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>The audit events being captured don&#8217;t seem to=
 be tied to any given node (so that I can perform
<b>ausearch --node <i>hostName</i></b>, or aureport), that&#8217;s the firs=
t issue.<o:p></o:p></p>
<p class=3D"MsoListParagraph" style=3D"text-indent:-.25in;mso-list:l0 level=
1 lfo1"><![if !supportLists]><span style=3D"mso-list:Ignore">2.<span style=
=3D"font:7.0pt &quot;Times New Roman&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;
</span></span><![endif]>The second issue is that I need to configure sudo t=
o enable my Special Security Team with the ability to perform their duties =
using the
<b>aureport</b> and the <b>ausearch</b> commands, but I get an error that a=
ppears to be based on permissions.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">I am hoping that you guys can steer me in the correc=
t direction; and I can update my documentation to be even a little more tho=
rough.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Scenario2, might be more of a membership issue now t=
hat I think about it; so please disregard as I think this is some weird 389=
-ds issue.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">I am hoping though that someone can suggest a reason=
 why, when I look directly at the content of the /var/log/audit/audit.log I=
 am not see any references to
<b>node=3D</b>hostname1, hostname2 .. hostnameN?&nbsp; Maybe I did misconfi=
gure something, but I followed my own instructions to the &#8220;T&#8221; a=
nd they didn&#8217;t produce this issue.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Thank you in advance for your precious time sincerel=
y,<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"text-autospace:none"><b><span style=3D"font=
-family:&quot;Helv&quot;,sans-serif;color:navy">Warron French, MBA, SCSA<o:=
p></o:p></span></b></p>
</div>
</body>
</html>

--_000_BY1PR09MB088756540EEFEFF5B6F54862C7710BY1PR09MB0887namp_--


--===============0118716398941390427==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0118716398941390427==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burn Alting <burn@swtf.dyndns.org>
Subject: Re: audit-tools and SUDO
Date: Tue, 10 May 2016 22:52:21 +1000
Message-ID: <1462884741.3439.16.camel@swtf.swtf.dyndns.org>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
Reply-To: burn@swtf.dyndns.org
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com
	[10.5.110.39])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u4AD1MXC030640
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Tue, 10 May 2016 09:01:22 -0400
Received: from swtf.swtf.dyndns.org (203-219-87-38.static.tpgi.com.au
	[203.219.87.38]) by mx1.redhat.com (Postfix) with ESMTP id 79AA46266F
	for <linux-audit@redhat.com>; Tue, 10 May 2016 13:01:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by swtf.swtf.dyndns.org (Postfix) with ESMTP id 6503B300C070C
	for <linux-audit@redhat.com>; Tue, 10 May 2016 22:52:27 +1000 (AEST)
Received: from swtf.swtf.dyndns.org ([127.0.0.1])
	by localhost (gateway.swtf.dyndns.org [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id 5ZA5W7atdTka for <linux-audit@redhat.com>;
	Tue, 10 May 2016 22:52:22 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by swtf.swtf.dyndns.org (Postfix) with ESMTP id 42FB2300C05E6
	for <linux-audit@redhat.com>; Tue, 10 May 2016 22:52:22 +1000 (AEST)
In-Reply-To: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Warron S French <warron.s.french@aero.org>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

T24gVHVlLCAyMDE2LTA1LTEwIGF0IDEyOjMxICswMDAwLCBXYXJyb24gUyBGcmVuY2ggd3JvdGU6
Cj4gR29vZCBtb3JuaW5nIGV2ZXJ5b25lLAo+IAo+ICAKPiAKPiBJIGFtIHdvcmtpbmcgb24gYW4g
ZW52aXJvbm1lbnQgd2hlcmUgSSBoYXZlIG1hbmFnZWQgdG8gZ2V0IGNlbnRyYWxpemVkCj4gYXVk
aXQgbG9nZ2luZyB0byB3b3JrIOKAkyByb3VnaGx5IDk1JSBwcm9wZXJseSBvbiBzaXggKDYpIENl
bnRPUy02LjcKPiB3b3Jrc3RhdGlvbnMgYW5kIGEgc2luZ2xlICgxKSBDZW50T1MtNi43IHNlcnZl
ci4KPiAKPiAgCj4gCj4gSSBoYXZlIHR3byBwcm9ibGVtcyB0aG91Z2g7IGFuZCB0aGV5IHNlZW0g
c29tZXdoYXQgbWlub3I6Cj4gCj4gIAo+IAo+IDEuICAgICAgVGhlIGF1ZGl0IGV2ZW50cyBiZWlu
ZyBjYXB0dXJlZCBkb27igJl0IHNlZW0gdG8gYmUgdGllZCB0byBhbnkKPiBnaXZlbiBub2RlIChz
byB0aGF0IEkgY2FuIHBlcmZvcm0gYXVzZWFyY2ggLS1ub2RlIGhvc3ROYW1lLCBvcgo+IGF1cmVw
b3J0KSwgdGhhdOKAmXMgdGhlIGZpcnN0IGlzc3VlLgoKV2hhdCBoYXZlIHlvdSBzZXQgdGhlIGNv
bmZpZ3VyYXRpb24gcGFyYW1ldGVyICduYW1lX2Zvcm1hdCcKaW4gL2V0Yy9hdWRpdC9hdWRpdGQu
Y29uZiB0bz8KCk9uZSBhc3N1bWVzIHlvdSBtYXkgd2FudCB0byBzZXQKbmFtZV9mb3JtYXQgPSBm
cWQKb3IKbmFtZV9mb3JtYXQgPSBob3N0bmFtZQoKQWZ0ZXIgdGhlIGNoYW5nZSBvbiBlYWNoIGhv
c3QsIGRvbid0IGZvcmdldCB0byByZWxvYWQgdGhlIGNvbmZpZ3VyYXRpb24Kd2l0aCBlaXRoZXIg
YSBzaWdodXAgb24gdGhlIGF1ZGl0ZCBwcm9jZXNzIG9yIGp1c3QgcmVzdGFydCB0aGUgc2Vydmlj
ZS4KPiAKPiAyLiAgICAgIFRoZSBzZWNvbmQgaXNzdWUgaXMgdGhhdCBJIG5lZWQgdG8gY29uZmln
dXJlIHN1ZG8gdG8gZW5hYmxlIG15Cj4gU3BlY2lhbCBTZWN1cml0eSBUZWFtIHdpdGggdGhlIGFi
aWxpdHkgdG8gcGVyZm9ybSB0aGVpciBkdXRpZXMgdXNpbmcKPiB0aGUgYXVyZXBvcnQgYW5kIHRo
ZSBhdXNlYXJjaCBjb21tYW5kcywgYnV0IEkgZ2V0IGFuIGVycm9yIHRoYXQKPiBhcHBlYXJzIHRv
IGJlIGJhc2VkIG9uIHBlcm1pc3Npb25zLgo+IApJIHJlY29tbWVuZCB5b3Ugc2hvdyB0aGUgY29t
bWFuZCBhbmQgcmVzdWx0YW50IGVycm9yIGluIHNpdHVhdGlvbnMgbGlrZQp0aGlzLiBUaGF0IHdh
eSB3ZSBjYW4gcHJvdmlkZSBhIG1vcmUgaW5mb3JtZWQgcmVzcG9uc2UuCgo+ICAKPiAKPiBJIGFt
IGhvcGluZyB0aGF0IHlvdSBndXlzIGNhbiBzdGVlciBtZSBpbiB0aGUgY29ycmVjdCBkaXJlY3Rp
b247IGFuZCBJCj4gY2FuIHVwZGF0ZSBteSBkb2N1bWVudGF0aW9uIHRvIGJlIGV2ZW4gYSBsaXR0
bGUgbW9yZSB0aG9yb3VnaC4KPiAKPiAgCj4gCj4gU2NlbmFyaW8yLCBtaWdodCBiZSBtb3JlIG9m
IGEgbWVtYmVyc2hpcCBpc3N1ZSBub3cgdGhhdCBJIHRoaW5rIGFib3V0Cj4gaXQ7IHNvIHBsZWFz
ZSBkaXNyZWdhcmQgYXMgSSB0aGluayB0aGlzIGlzIHNvbWUgd2VpcmQgMzg5LWRzIGlzc3VlLgo+
IAo+ICAKPiAKPiBJIGFtIGhvcGluZyB0aG91Z2ggdGhhdCBzb21lb25lIGNhbiBzdWdnZXN0IGEg
cmVhc29uIHdoeSwgd2hlbiBJIGxvb2sKPiBkaXJlY3RseSBhdCB0aGUgY29udGVudCBvZiB0aGUg
L3Zhci9sb2cvYXVkaXQvYXVkaXQubG9nIEkgYW0gbm90IHNlZQo+IGFueSByZWZlcmVuY2VzIHRv
IG5vZGU9aG9zdG5hbWUxLCBob3N0bmFtZTIgLi4gaG9zdG5hbWVOPyAgTWF5YmUgSSBkaWQKPiBt
aXNjb25maWd1cmUgc29tZXRoaW5nLCBidXQgSSBmb2xsb3dlZCBteSBvd24gaW5zdHJ1Y3Rpb25z
IHRvIHRoZSDigJxU4oCdCj4gYW5kIHRoZXkgZGlkbuKAmXQgcHJvZHVjZSB0aGlzIGlzc3VlLgo+
IAo+ICAKPiAKPiAgCj4gCj4gIAo+IAo+IFRoYW5rIHlvdSBpbiBhZHZhbmNlIGZvciB5b3VyIHBy
ZWNpb3VzIHRpbWUgc2luY2VyZWx5LAo+IAo+ICAKPiAKPiBXYXJyb24gRnJlbmNoLCBNQkEsIFND
U0EKPiAKPiAKPiAtLQo+IExpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdAo+IExpbnV4LWF1ZGl0QHJl
ZGhhdC5jb20KPiBodHRwczovL3d3dy5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgt
YXVkaXQKCgotLQpMaW51eC1hdWRpdCBtYWlsaW5nIGxpc3QKTGludXgtYXVkaXRAcmVkaGF0LmNv
bQpodHRwczovL3d3dy5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgtYXVkaXQ=

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Warron S French <warron.s.french@aero.org>
Subject: RE: audit-tools and SUDO
Date: Tue, 10 May 2016 13:07:20 +0000
Message-ID: <BY1PR09MB08870FF36E75569E4BAAD420C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<1462884741.3439.16.camel@swtf.swtf.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com
	[10.5.110.31])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u4AD7i5n019409
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Tue, 10 May 2016 09:07:44 -0400
Received: from email3-east.aero.org (email3-east.aero.org [130.221.184.167])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 2F0AAC049D5A
	for <linux-audit@redhat.com>; Tue, 10 May 2016 13:07:43 +0000 (UTC)
In-Reply-To: <1462884741.3439.16.camel@swtf.swtf.dyndns.org>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "burn@swtf.dyndns.org" <burn@swtf.dyndns.org>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

SGVsbG8gQnVybiwgdGhhbmtzIGZvciB5b3VyIGlucHV0cy4KCk9kZGx5IGVub3VnaCBpbiBteSBs
YWIsIHdoZXJlIHRoaXMgaXMgd29ya2luZyBhcyBleHBlY3RlZCwgdGhlIG5hbWVfZm9ybWF0ID0g
Tk9ORTsgYW5kIHRoYXQgaXMgb24gbXkgdGVzdCBzZXJ2ZXIgKHNlcnZlcjEpLCBhbmQgYWxzbyBp
biBib3RoIHRlc3QgY2xpZW50cyAoY2xpZW50MSBhbmQgY2xpZW50MikuCgpIb3dldmVyLCBpbiBt
eSBwcm9kdWN0aW9uIGVudmlyb25tZW50LCBJIHdvdWxkIGhhdmUgdG8gZG91YmxlIGNoZWNrIHRo
ZSBzZXR0aW5nIC9ldGMvYXVkaXQvYXVkaXRkLmNvbmY6Om5hbWVfZm9ybWF0IGFuZCBzZWUgd2hh
dCBpdCBpcyBzZXQgdG8gYmVjYXVzZSBteSBpbnN0cnVjdGlvbnMgZG9uJ3QgbWVudGlvbiBpdDsg
YmFzZWQgb24gdGhlIGVtYWlsIGludGVyYWN0aW9uIHdpdGggU3RldmUgR3J1YmIuCgoKVGhhbmtz
IGZvciB0aGUgcHJvbXB0IHJlcGx5IEJ1cm4uCgoKV2Fycm9uIEZyZW5jaCwgTUJBLCBTQ1NBCgot
LS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQpGcm9tOiBCdXJuIEFsdGluZyBbbWFpbHRvOmJ1cm5A
c3d0Zi5keW5kbnMub3JnXSAKU2VudDogVHVlc2RheSwgTWF5IDEwLCAyMDE2IDg6NTIgQU0KVG86
IFdhcnJvbiBTIEZyZW5jaCA8d2Fycm9uLnMuZnJlbmNoQGFlcm8ub3JnPgpDYzogbGludXgtYXVk
aXRAcmVkaGF0LmNvbQpTdWJqZWN0OiBSZTogYXVkaXQtdG9vbHMgYW5kIFNVRE8KCk9uIFR1ZSwg
MjAxNi0wNS0xMCBhdCAxMjozMSArMDAwMCwgV2Fycm9uIFMgRnJlbmNoIHdyb3RlOgo+IEdvb2Qg
bW9ybmluZyBldmVyeW9uZSwKPiAKPiAgCj4gCj4gSSBhbSB3b3JraW5nIG9uIGFuIGVudmlyb25t
ZW50IHdoZXJlIEkgaGF2ZSBtYW5hZ2VkIHRvIGdldCBjZW50cmFsaXplZCAKPiBhdWRpdCBsb2dn
aW5nIHRvIHdvcmsg4oCTIHJvdWdobHkgOTUlIHByb3Blcmx5IG9uIHNpeCAoNikgQ2VudE9TLTYu
NyAKPiB3b3Jrc3RhdGlvbnMgYW5kIGEgc2luZ2xlICgxKSBDZW50T1MtNi43IHNlcnZlci4KPiAK
PiAgCj4gCj4gSSBoYXZlIHR3byBwcm9ibGVtcyB0aG91Z2g7IGFuZCB0aGV5IHNlZW0gc29tZXdo
YXQgbWlub3I6Cj4gCj4gIAo+IAo+IDEuICAgICAgVGhlIGF1ZGl0IGV2ZW50cyBiZWluZyBjYXB0
dXJlZCBkb27igJl0IHNlZW0gdG8gYmUgdGllZCB0byBhbnkKPiBnaXZlbiBub2RlIChzbyB0aGF0
IEkgY2FuIHBlcmZvcm0gYXVzZWFyY2ggLS1ub2RlIGhvc3ROYW1lLCBvciAKPiBhdXJlcG9ydCks
IHRoYXTigJlzIHRoZSBmaXJzdCBpc3N1ZS4KCldoYXQgaGF2ZSB5b3Ugc2V0IHRoZSBjb25maWd1
cmF0aW9uIHBhcmFtZXRlciAnbmFtZV9mb3JtYXQnCmluIC9ldGMvYXVkaXQvYXVkaXRkLmNvbmYg
dG8/CgpPbmUgYXNzdW1lcyB5b3UgbWF5IHdhbnQgdG8gc2V0Cm5hbWVfZm9ybWF0ID0gZnFkCm9y
Cm5hbWVfZm9ybWF0ID0gaG9zdG5hbWUKCkFmdGVyIHRoZSBjaGFuZ2Ugb24gZWFjaCBob3N0LCBk
b24ndCBmb3JnZXQgdG8gcmVsb2FkIHRoZSBjb25maWd1cmF0aW9uIHdpdGggZWl0aGVyIGEgc2ln
aHVwIG9uIHRoZSBhdWRpdGQgcHJvY2VzcyBvciBqdXN0IHJlc3RhcnQgdGhlIHNlcnZpY2UuCj4g
Cj4gMi4gICAgICBUaGUgc2Vjb25kIGlzc3VlIGlzIHRoYXQgSSBuZWVkIHRvIGNvbmZpZ3VyZSBz
dWRvIHRvIGVuYWJsZSBteQo+IFNwZWNpYWwgU2VjdXJpdHkgVGVhbSB3aXRoIHRoZSBhYmlsaXR5
IHRvIHBlcmZvcm0gdGhlaXIgZHV0aWVzIHVzaW5nIAo+IHRoZSBhdXJlcG9ydCBhbmQgdGhlIGF1
c2VhcmNoIGNvbW1hbmRzLCBidXQgSSBnZXQgYW4gZXJyb3IgdGhhdCAKPiBhcHBlYXJzIHRvIGJl
IGJhc2VkIG9uIHBlcm1pc3Npb25zLgo+IApJIHJlY29tbWVuZCB5b3Ugc2hvdyB0aGUgY29tbWFu
ZCBhbmQgcmVzdWx0YW50IGVycm9yIGluIHNpdHVhdGlvbnMgbGlrZSB0aGlzLiBUaGF0IHdheSB3
ZSBjYW4gcHJvdmlkZSBhIG1vcmUgaW5mb3JtZWQgcmVzcG9uc2UuCgo+ICAKPiAKPiBJIGFtIGhv
cGluZyB0aGF0IHlvdSBndXlzIGNhbiBzdGVlciBtZSBpbiB0aGUgY29ycmVjdCBkaXJlY3Rpb247
IGFuZCBJIAo+IGNhbiB1cGRhdGUgbXkgZG9jdW1lbnRhdGlvbiB0byBiZSBldmVuIGEgbGl0dGxl
IG1vcmUgdGhvcm91Z2guCj4gCj4gIAo+IAo+IFNjZW5hcmlvMiwgbWlnaHQgYmUgbW9yZSBvZiBh
IG1lbWJlcnNoaXAgaXNzdWUgbm93IHRoYXQgSSB0aGluayBhYm91dCAKPiBpdDsgc28gcGxlYXNl
IGRpc3JlZ2FyZCBhcyBJIHRoaW5rIHRoaXMgaXMgc29tZSB3ZWlyZCAzODktZHMgaXNzdWUuCj4g
Cj4gIAo+IAo+IEkgYW0gaG9waW5nIHRob3VnaCB0aGF0IHNvbWVvbmUgY2FuIHN1Z2dlc3QgYSBy
ZWFzb24gd2h5LCB3aGVuIEkgbG9vayAKPiBkaXJlY3RseSBhdCB0aGUgY29udGVudCBvZiB0aGUg
L3Zhci9sb2cvYXVkaXQvYXVkaXQubG9nIEkgYW0gbm90IHNlZSAKPiBhbnkgcmVmZXJlbmNlcyB0
byBub2RlPWhvc3RuYW1lMSwgaG9zdG5hbWUyIC4uIGhvc3RuYW1lTj8gIE1heWJlIEkgZGlkIAo+
IG1pc2NvbmZpZ3VyZSBzb21ldGhpbmcsIGJ1dCBJIGZvbGxvd2VkIG15IG93biBpbnN0cnVjdGlv
bnMgdG8gdGhlIOKAnFTigJ0KPiBhbmQgdGhleSBkaWRu4oCZdCBwcm9kdWNlIHRoaXMgaXNzdWUu
Cj4gCj4gIAo+IAo+ICAKPiAKPiAgCj4gCj4gVGhhbmsgeW91IGluIGFkdmFuY2UgZm9yIHlvdXIg
cHJlY2lvdXMgdGltZSBzaW5jZXJlbHksCj4gCj4gIAo+IAo+IFdhcnJvbiBGcmVuY2gsIE1CQSwg
U0NTQQo+IAo+IAo+IC0tCj4gTGludXgtYXVkaXQgbWFpbGluZyBsaXN0Cj4gTGludXgtYXVkaXRA
cmVkaGF0LmNvbQo+IGh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9saW51
eC1hdWRpdAoKCgotLQpMaW51eC1hdWRpdCBtYWlsaW5nIGxpc3QKTGludXgtYXVkaXRAcmVkaGF0
LmNvbQpodHRwczovL3d3dy5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgtYXVkaXQ=

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit-tools and SUDO
Date: Tue, 10 May 2016 09:25:12 -0400
Message-ID: <4636570.EUPpVmsaCN@x2>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<1462884741.3439.16.camel@swtf.swtf.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1462884741.3439.16.camel@swtf.swtf.dyndns.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, burn@swtf.dyndns.org
List-Id: linux-audit@redhat.com

T24gVHVlc2RheSwgTWF5IDEwLCAyMDE2IDEwOjUyOjIxIFBNIEJ1cm4gQWx0aW5nIHdyb3RlOgo+
IE9uIFR1ZSwgMjAxNi0wNS0xMCBhdCAxMjozMSArMDAwMCwgV2Fycm9uIFMgRnJlbmNoIHdyb3Rl
Ogo+ID4gR29vZCBtb3JuaW5nIGV2ZXJ5b25lLAo+ID4gCj4gPiAKPiA+IAo+ID4gSSBhbSB3b3Jr
aW5nIG9uIGFuIGVudmlyb25tZW50IHdoZXJlIEkgaGF2ZSBtYW5hZ2VkIHRvIGdldCBjZW50cmFs
aXplZAo+ID4gYXVkaXQgbG9nZ2luZyB0byB3b3JrIOKAkyByb3VnaGx5IDk1JSBwcm9wZXJseSBv
biBzaXggKDYpIENlbnRPUy02LjcKPiA+IHdvcmtzdGF0aW9ucyBhbmQgYSBzaW5nbGUgKDEpIENl
bnRPUy02Ljcgc2VydmVyLgo+ID4gCj4gPiAKPiA+IAo+ID4gSSBoYXZlIHR3byBwcm9ibGVtcyB0
aG91Z2g7IGFuZCB0aGV5IHNlZW0gc29tZXdoYXQgbWlub3I6Cj4gPiAKPiA+IAo+ID4gCj4gPiAx
LiAgICAgIFRoZSBhdWRpdCBldmVudHMgYmVpbmcgY2FwdHVyZWQgZG9u4oCZdCBzZWVtIHRvIGJl
IHRpZWQgdG8gYW55Cj4gPiBnaXZlbiBub2RlIChzbyB0aGF0IEkgY2FuIHBlcmZvcm0gYXVzZWFy
Y2ggLS1ub2RlIGhvc3ROYW1lLCBvcgo+ID4gYXVyZXBvcnQpLCB0aGF04oCZcyB0aGUgZmlyc3Qg
aXNzdWUuCj4gCj4gV2hhdCBoYXZlIHlvdSBzZXQgdGhlIGNvbmZpZ3VyYXRpb24gcGFyYW1ldGVy
ICduYW1lX2Zvcm1hdCcKPiBpbiAvZXRjL2F1ZGl0L2F1ZGl0ZC5jb25mIHRvPwo+IAo+IE9uZSBh
c3N1bWVzIHlvdSBtYXkgd2FudCB0byBzZXQKPiBuYW1lX2Zvcm1hdCA9IGZxZAo+IG9yCj4gbmFt
ZV9mb3JtYXQgPSBob3N0bmFtZQo+IAo+IEFmdGVyIHRoZSBjaGFuZ2Ugb24gZWFjaCBob3N0LCBk
b24ndCBmb3JnZXQgdG8gcmVsb2FkIHRoZSBjb25maWd1cmF0aW9uCj4gd2l0aCBlaXRoZXIgYSBz
aWdodXAgb24gdGhlIGF1ZGl0ZCBwcm9jZXNzIG9yIGp1c3QgcmVzdGFydCB0aGUgc2VydmljZS4K
ClRoaXMgd291bGQgc2V0IGl0IGZvciB0aGUgbG9jYWwgbG9ncy4gQW5kIHlvdSB3b3VsZCBuZWVk
IHRvIGRvIHRoaXMgb24gdGhlIApzZXJ2ZXIgdGhhdCBpcyBhZ2dyZWdhdGluZyB0aGUgbG9ncy4g
KEkgdGhpbmsgSSBmb3Jnb3QgdG8gbWVudGlvbiB0aGF0IGxhc3QgCndlZWsuKSBCdXQgZm9yIHRo
ZSB3b3Jrc3RhdGlvbnMsIHlvdSBoYXZlIHRvIHNldCBuYW1lX2Zvcm1hdCBpbiBhdWRpc3BkLmNv
bmYuCgoKPiA+IDIuICAgICAgVGhlIHNlY29uZCBpc3N1ZSBpcyB0aGF0IEkgbmVlZCB0byBjb25m
aWd1cmUgc3VkbyB0byBlbmFibGUgbXkKPiA+IFNwZWNpYWwgU2VjdXJpdHkgVGVhbSB3aXRoIHRo
ZSBhYmlsaXR5IHRvIHBlcmZvcm0gdGhlaXIgZHV0aWVzIHVzaW5nCj4gPiB0aGUgYXVyZXBvcnQg
YW5kIHRoZSBhdXNlYXJjaCBjb21tYW5kcywgYnV0IEkgZ2V0IGFuIGVycm9yIHRoYXQKPiA+IGFw
cGVhcnMgdG8gYmUgYmFzZWQgb24gcGVybWlzc2lvbnMuCj4gCj4gSSByZWNvbW1lbmQgeW91IHNo
b3cgdGhlIGNvbW1hbmQgYW5kIHJlc3VsdGFudCBlcnJvciBpbiBzaXR1YXRpb25zIGxpa2UKPiB0
aGlzLiBUaGF0IHdheSB3ZSBjYW4gcHJvdmlkZSBhIG1vcmUgaW5mb3JtZWQgcmVzcG9uc2UuCgpP
bmUgYXBwcm9hY2ggc29tZSBwZW9wbGUgdGFrZSBpcyB0byB1c2UgdGhlIGxvZ19ncm91cCBzZXR0
aW5nIGluIGF1ZGl0ZC5jb25mLiAKSWYgdGhlcmUgaXMgYSBncm91cCB0aGF0IHRoZSBzZWN1cml0
eSBwZW9wbGUgYmVsb25nIHRvIHRoYXQgb3RoZXJzIGRvbid0LCB0aGVuIAp1c2luZyB0aGF0IGdy
b3VwIG5hbWUgZm9yIGxvZ19ncm91cCB0aGlzIGlzIHRoZSBlYXNpZXN0IHdheSBhbmQgZXhhY3Rs
eSB3aHkgCnRoaXMgb3B0aW9uIGV4aXN0cy4KCi1TdGV2ZQoKCj4gPiBJIGFtIGhvcGluZyB0aGF0
IHlvdSBndXlzIGNhbiBzdGVlciBtZSBpbiB0aGUgY29ycmVjdCBkaXJlY3Rpb247IGFuZCBJCj4g
PiBjYW4gdXBkYXRlIG15IGRvY3VtZW50YXRpb24gdG8gYmUgZXZlbiBhIGxpdHRsZSBtb3JlIHRo
b3JvdWdoLgo+ID4gCj4gPiBTY2VuYXJpbzIsIG1pZ2h0IGJlIG1vcmUgb2YgYSBtZW1iZXJzaGlw
IGlzc3VlIG5vdyB0aGF0IEkgdGhpbmsgYWJvdXQKPiA+IGl0OyBzbyBwbGVhc2UgZGlzcmVnYXJk
IGFzIEkgdGhpbmsgdGhpcyBpcyBzb21lIHdlaXJkIDM4OS1kcyBpc3N1ZS4KPiA+IAo+ID4gSSBh
bSBob3BpbmcgdGhvdWdoIHRoYXQgc29tZW9uZSBjYW4gc3VnZ2VzdCBhIHJlYXNvbiB3aHksIHdo
ZW4gSSBsb29rCj4gPiBkaXJlY3RseSBhdCB0aGUgY29udGVudCBvZiB0aGUgL3Zhci9sb2cvYXVk
aXQvYXVkaXQubG9nIEkgYW0gbm90IHNlZQo+ID4gYW55IHJlZmVyZW5jZXMgdG8gbm9kZT1ob3N0
bmFtZTEsIGhvc3RuYW1lMiAuLiBob3N0bmFtZU4/ICBNYXliZSBJIGRpZAo+ID4gbWlzY29uZmln
dXJlIHNvbWV0aGluZywgYnV0IEkgZm9sbG93ZWQgbXkgb3duIGluc3RydWN0aW9ucyB0byB0aGUg
4oCcVOKAnQo+ID4gYW5kIHRoZXkgZGlkbuKAmXQgcHJvZHVjZSB0aGlzIGlzc3VlLgo+ID4gCj4g
PiAKPiA+IAo+ID4gCj4gPiAKPiA+IAo+ID4gCj4gPiBUaGFuayB5b3UgaW4gYWR2YW5jZSBmb3Ig
eW91ciBwcmVjaW91cyB0aW1lIHNpbmNlcmVseSwKPiA+IAo+ID4gCj4gPiAKPiA+IFdhcnJvbiBG
cmVuY2gsIE1CQSwgU0NTQQo+ID4gCj4gPiAKPiA+IC0tCj4gPiBMaW51eC1hdWRpdCBtYWlsaW5n
IGxpc3QKPiA+IExpbnV4LWF1ZGl0QHJlZGhhdC5jb20KPiA+IGh0dHBzOi8vd3d3LnJlZGhhdC5j
b20vbWFpbG1hbi9saXN0aW5mby9saW51eC1hdWRpdAo+IAo+IC0tCj4gTGludXgtYXVkaXQgbWFp
bGluZyBsaXN0Cj4gTGludXgtYXVkaXRAcmVkaGF0LmNvbQo+IGh0dHBzOi8vd3d3LnJlZGhhdC5j
b20vbWFpbG1hbi9saXN0aW5mby9saW51eC1hdWRpdAoKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcg
bGlzdApMaW51eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1h
bi9saXN0aW5mby9saW51eC1hdWRpdA==

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Warron S French <warron.s.french@aero.org>
Subject: RE: audit-tools and SUDO
Date: Tue, 10 May 2016 13:44:50 +0000
Message-ID: <BY1PR09MB088792A33B5B6AAFF5D8AE48C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<1462884741.3439.16.camel@swtf.swtf.dyndns.org> <4636570.EUPpVmsaCN@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com
	[10.5.110.29])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u4ADsft8032102
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Tue, 10 May 2016 09:54:41 -0400
Received: from email5-west.aero.org (email5-west.aero.org [130.221.16.30])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 6F21A1555F
	for <linux-audit@redhat.com>; Tue, 10 May 2016 13:54:40 +0000 (UTC)
In-Reply-To: <4636570.EUPpVmsaCN@x2>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, "linux-audit@redhat.com" <linux-audit@redhat.com>, "burn@swtf.dyndns.org" <burn@swtf.dyndns.org>
List-Id: linux-audit@redhat.com

UmVwbGllcyBhcmUgaW4tbGluZSB3aXRoIHJlc3BvbnNlcy4KCldhcnJvbiBGcmVuY2gsIE1CQSwg
U0NTQQoKCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tCkZyb206IFN0ZXZlIEdydWJiIFttYWls
dG86c2dydWJiQHJlZGhhdC5jb21dIApTZW50OiBUdWVzZGF5LCBNYXkgMTAsIDIwMTYgOToyNSBB
TQpUbzogbGludXgtYXVkaXRAcmVkaGF0LmNvbTsgYnVybkBzd3RmLmR5bmRucy5vcmcKQ2M6IFdh
cnJvbiBTIEZyZW5jaCA8d2Fycm9uLnMuZnJlbmNoQGFlcm8ub3JnPgpTdWJqZWN0OiBSZTogYXVk
aXQtdG9vbHMgYW5kIFNVRE8KCk9uIFR1ZXNkYXksIE1heSAxMCwgMjAxNiAxMDo1MjoyMSBQTSBC
dXJuIEFsdGluZyB3cm90ZToKPiBPbiBUdWUsIDIwMTYtMDUtMTAgYXQgMTI6MzEgKzAwMDAsIFdh
cnJvbiBTIEZyZW5jaCB3cm90ZToKPiA+IEdvb2QgbW9ybmluZyBldmVyeW9uZSwKPiA+IAo+ID4g
Cj4gPiAKPiA+IEkgYW0gd29ya2luZyBvbiBhbiBlbnZpcm9ubWVudCB3aGVyZSBJIGhhdmUgbWFu
YWdlZCB0byBnZXQgCj4gPiBjZW50cmFsaXplZCBhdWRpdCBsb2dnaW5nIHRvIHdvcmsg4oCTIHJv
dWdobHkgOTUlIHByb3Blcmx5IG9uIHNpeCAoNikgCj4gPiBDZW50T1MtNi43IHdvcmtzdGF0aW9u
cyBhbmQgYSBzaW5nbGUgKDEpIENlbnRPUy02Ljcgc2VydmVyLgo+ID4gCj4gPiAKPiA+IAo+ID4g
SSBoYXZlIHR3byBwcm9ibGVtcyB0aG91Z2g7IGFuZCB0aGV5IHNlZW0gc29tZXdoYXQgbWlub3I6
Cj4gPiAKPiA+IAo+ID4gCj4gPiAxLiAgICAgIFRoZSBhdWRpdCBldmVudHMgYmVpbmcgY2FwdHVy
ZWQgZG9u4oCZdCBzZWVtIHRvIGJlIHRpZWQgdG8gYW55Cj4gPiBnaXZlbiBub2RlIChzbyB0aGF0
IEkgY2FuIHBlcmZvcm0gYXVzZWFyY2ggLS1ub2RlIGhvc3ROYW1lLCBvciAKPiA+IGF1cmVwb3J0
KSwgdGhhdOKAmXMgdGhlIGZpcnN0IGlzc3VlLgo+IAo+IFdoYXQgaGF2ZSB5b3Ugc2V0IHRoZSBj
b25maWd1cmF0aW9uIHBhcmFtZXRlciAnbmFtZV9mb3JtYXQnCj4gaW4gL2V0Yy9hdWRpdC9hdWRp
dGQuY29uZiB0bz8KPiAKPiBPbmUgYXNzdW1lcyB5b3UgbWF5IHdhbnQgdG8gc2V0Cj4gbmFtZV9m
b3JtYXQgPSBmcWQKPiBvcgo+IG5hbWVfZm9ybWF0ID0gaG9zdG5hbWUKPiAKPiBBZnRlciB0aGUg
Y2hhbmdlIG9uIGVhY2ggaG9zdCwgZG9uJ3QgZm9yZ2V0IHRvIHJlbG9hZCB0aGUgCj4gY29uZmln
dXJhdGlvbiB3aXRoIGVpdGhlciBhIHNpZ2h1cCBvbiB0aGUgYXVkaXRkIHByb2Nlc3Mgb3IganVz
dCByZXN0YXJ0IHRoZSBzZXJ2aWNlLgoKT24gdGhlIGxhYi1jbGllbnRzIGVuZHM6CkluLCBhbmQg
T05MWSBJTiwgbXkgL2V0Yy9hdWRpc3AvYXVkaXNwZC5jb25mIGZpbGUgaGF2ZSBJIHNldCBuYW1l
X2Zvcm1hdD1ob3N0bmFtZSwgd2hlcmUgaG9zdG5hbWUgaXMgYSBsaXRlcmFsIHN0cmluZyBvZiAn
aG9zdG5hbWUnIG5vdCBUSEUgaG9zdG5hbWU7IHRoZXJlIGlzIG5vIG5hbWVfZm9ybWF0IHJlZmVy
ZW5jZSBpbiBhbnkgb3RoZXIgZmlsZSBvbiBteSBsYWItY2xpZW50IG1hY2hpbmVzIHVuZGVyIHRo
ZSBkaXJlY3RvcnkgL2V0Yy9hdWRpc3AvIGFueXdoZXJlLiAgQWxzbyBvbiBteSBsYWItY2xpZW50
IG1hY2hpbmVzIGluIHRoZSAvZXRjL2F1ZGl0L2F1ZGl0ZC5jb25mIGZpbGUgdGhlIG5hbWVfZm9y
bWF0IHZhcmlhYmxlIGlzIHNldCB0byBOT05FLiAgCgpPbiB0aGUgbGFiLXNlcnZlciBlbmQ6Cklu
IHRoZSBvbmx5IGZpbGUgdGhhdCBJIG1vZGlmaWVkLCAvZXRjL2F1ZGl0L2F1ZGl0ZC5jb25mLCB0
aGUgb25seSB2YXJpYWJsZXMgdGhhdCBJIGFsdGVyZWQgd2VyZToKdGNwX2xpc3Rlbl9wb3J0ICAg
PSA2MAp0Y3BfY2xpZW50X3BvcnRzID0gNjAKdXNlX2xpYndyYXAgICAgICAgICA9IG5vICAoYmVj
YXVzZSBJIGFtIHVzaW5nIGlwdGFibGVzKQoKVGhlIGxhYiB3b3JrcyBhcyBleHBlY3RlZCwgYnV0
IG15IHByb2R1Y3Rpb24gZW52aXJvbm1lbnQgZG9lcyBub3QuICAlLS8KCgoKClRoaXMgd291bGQg
c2V0IGl0IGZvciB0aGUgbG9jYWwgbG9ncy4gQW5kIHlvdSB3b3VsZCBuZWVkIHRvIGRvIHRoaXMg
b24gdGhlIHNlcnZlciB0aGF0IGlzIGFnZ3JlZ2F0aW5nIHRoZSBsb2dzLiAoSSB0aGluayBJIGZv
cmdvdCB0byBtZW50aW9uIHRoYXQgbGFzdAp3ZWVrLikgQnV0IGZvciB0aGUgd29ya3N0YXRpb25z
LCB5b3UgaGF2ZSB0byBzZXQgbmFtZV9mb3JtYXQgaW4gYXVkaXNwZC5jb25mLgoKCj4gPiAyLiAg
ICAgIFRoZSBzZWNvbmQgaXNzdWUgaXMgdGhhdCBJIG5lZWQgdG8gY29uZmlndXJlIHN1ZG8gdG8g
ZW5hYmxlIG15Cj4gPiBTcGVjaWFsIFNlY3VyaXR5IFRlYW0gd2l0aCB0aGUgYWJpbGl0eSB0byBw
ZXJmb3JtIHRoZWlyIGR1dGllcyB1c2luZyAKPiA+IHRoZSBhdXJlcG9ydCBhbmQgdGhlIGF1c2Vh
cmNoIGNvbW1hbmRzLCBidXQgSSBnZXQgYW4gZXJyb3IgdGhhdCAKPiA+IGFwcGVhcnMgdG8gYmUg
YmFzZWQgb24gcGVybWlzc2lvbnMuCj4gCj4gSSByZWNvbW1lbmQgeW91IHNob3cgdGhlIGNvbW1h
bmQgYW5kIHJlc3VsdGFudCBlcnJvciBpbiBzaXR1YXRpb25zIAo+IGxpa2UgdGhpcy4gVGhhdCB3
YXkgd2UgY2FuIHByb3ZpZGUgYSBtb3JlIGluZm9ybWVkIHJlc3BvbnNlLgoKT25lIGFwcHJvYWNo
IHNvbWUgcGVvcGxlIHRha2UgaXMgdG8gdXNlIHRoZSBsb2dfZ3JvdXAgc2V0dGluZyBpbiBhdWRp
dGQuY29uZi4gCklmIHRoZXJlIGlzIGEgZ3JvdXAgdGhhdCB0aGUgc2VjdXJpdHkgcGVvcGxlIGJl
bG9uZyB0byB0aGF0IG90aGVycyBkb24ndCwgdGhlbiB1c2luZyB0aGF0IGdyb3VwIG5hbWUgZm9y
IGxvZ19ncm91cCB0aGlzIGlzIHRoZSBlYXNpZXN0IHdheSBhbmQgZXhhY3RseSB3aHkgdGhpcyBv
cHRpb24gZXhpc3RzLgoKLVN0ZXZlCgpUaGFua3MgZm9yIHRoaXMgU3RldmUsIEkgYW0gZ29pbmcg
dG8gZW5nYWdlIHRoZSBTcGVjaWFsIFNlY3VyaXR5IFRlYW0sIGJlY2F1c2UgSSBoYXZlIHRob3Vn
aHQgb2YgYW5vdGhlciBhcHByb2FjaCAtIG1ha2luZyB0aGUgYXVkaXRvcnMgZ3JvdXAgYmVjb21l
IGEgbG9jYWwgKC9ldGMvZ3JvdXApIGZpbGUgZW50cnkgaW5zdGVhZCBvZiB1c2luZyAzODktZHMg
dG8gbWFuYWdlIHRoaXMgYXNzb2NpYXRpb247IHRoYXQgd2F5IGl0IHdpbGwgYWx3YXlzIGJlIHJl
bGlhYmxlLgoKCgo+ID4gSSBhbSBob3BpbmcgdGhhdCB5b3UgZ3V5cyBjYW4gc3RlZXIgbWUgaW4g
dGhlIGNvcnJlY3QgZGlyZWN0aW9uOyBhbmQgCj4gPiBJIGNhbiB1cGRhdGUgbXkgZG9jdW1lbnRh
dGlvbiB0byBiZSBldmVuIGEgbGl0dGxlIG1vcmUgdGhvcm91Z2guCj4gPiAKPiA+IFNjZW5hcmlv
MiwgbWlnaHQgYmUgbW9yZSBvZiBhIG1lbWJlcnNoaXAgaXNzdWUgbm93IHRoYXQgSSB0aGluayAK
PiA+IGFib3V0IGl0OyBzbyBwbGVhc2UgZGlzcmVnYXJkIGFzIEkgdGhpbmsgdGhpcyBpcyBzb21l
IHdlaXJkIDM4OS1kcyBpc3N1ZS4KPiA+IAo+ID4gSSBhbSBob3BpbmcgdGhvdWdoIHRoYXQgc29t
ZW9uZSBjYW4gc3VnZ2VzdCBhIHJlYXNvbiB3aHksIHdoZW4gSSAKPiA+IGxvb2sgZGlyZWN0bHkg
YXQgdGhlIGNvbnRlbnQgb2YgdGhlIC92YXIvbG9nL2F1ZGl0L2F1ZGl0LmxvZyBJIGFtIAo+ID4g
bm90IHNlZSBhbnkgcmVmZXJlbmNlcyB0byBub2RlPWhvc3RuYW1lMSwgaG9zdG5hbWUyIC4uIGhv
c3RuYW1lTj8gIAo+ID4gTWF5YmUgSSBkaWQgbWlzY29uZmlndXJlIHNvbWV0aGluZywgYnV0IEkg
Zm9sbG93ZWQgbXkgb3duIGluc3RydWN0aW9ucyB0byB0aGUg4oCcVOKAnQo+ID4gYW5kIHRoZXkg
ZGlkbuKAmXQgcHJvZHVjZSB0aGlzIGlzc3VlLgo+ID4gCj4gPiAKPiA+IAo+ID4gCj4gPiAKPiA+
IAo+ID4gCj4gPiBUaGFuayB5b3UgaW4gYWR2YW5jZSBmb3IgeW91ciBwcmVjaW91cyB0aW1lIHNp
bmNlcmVseSwKPiA+IAo+ID4gCj4gPiAKPiA+IFdhcnJvbiBGcmVuY2gsIE1CQSwgU0NTQQo+ID4g
Cj4gPiAKPiA+IC0tCj4gPiBMaW51eC1hdWRpdCBtYWlsaW5nIGxpc3QKPiA+IExpbnV4LWF1ZGl0
QHJlZGhhdC5jb20KPiA+IGh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9s
aW51eC1hdWRpdAo+IAo+IC0tCj4gTGludXgtYXVkaXQgbWFpbGluZyBsaXN0Cj4gTGludXgtYXVk
aXRAcmVkaGF0LmNvbQo+IGh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9s
aW51eC1hdWRpdAoKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEByZWRo
YXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9saW51eC1hdWRp
dA==

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit-tools and SUDO
Date: Tue, 10 May 2016 10:31:03 -0400
Message-ID: <2247443.0y4SDndMu0@x2>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<4636570.EUPpVmsaCN@x2>
	<BY1PR09MB088792A33B5B6AAFF5D8AE48C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <BY1PR09MB088792A33B5B6AAFF5D8AE48C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Warron S French <warron.s.french@aero.org>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

T24gVHVlc2RheSwgTWF5IDEwLCAyMDE2IDAxOjQ0OjUwIFBNIFdhcnJvbiBTIEZyZW5jaCB3cm90
ZToKPiA+ID4gSSBoYXZlIHR3byBwcm9ibGVtcyB0aG91Z2g7IGFuZCB0aGV5IHNlZW0gc29tZXdo
YXQgbWlub3I6Cj4gPiA+IAo+ID4gPiAxLiAgICAgIFRoZSBhdWRpdCBldmVudHMgYmVpbmcgY2Fw
dHVyZWQgZG9u4oCZdCBzZWVtIHRvIGJlIHRpZWQgdG8gYW55Cj4gPiA+IGdpdmVuIG5vZGUgKHNv
IHRoYXQgSSBjYW4gcGVyZm9ybSBhdXNlYXJjaCAtLW5vZGUgaG9zdE5hbWUsIG9yIAo+ID4gPiBh
dXJlcG9ydCksIHRoYXTigJlzIHRoZSBmaXJzdCBpc3N1ZS4KPiA+IAo+ID4gCj4gPiBXaGF0IGhh
dmUgeW91IHNldCB0aGUgY29uZmlndXJhdGlvbiBwYXJhbWV0ZXIgJ25hbWVfZm9ybWF0Jwo+ID4g
aW4gL2V0Yy9hdWRpdC9hdWRpdGQuY29uZiB0bz8KPiA+IAo+ID4gT25lIGFzc3VtZXMgeW91IG1h
eSB3YW50IHRvIHNldAo+ID4gbmFtZV9mb3JtYXQgPSBmcWQKPiA+IG9yCj4gPiBuYW1lX2Zvcm1h
dCA9IGhvc3RuYW1lCj4gPiAKPiA+IEFmdGVyIHRoZSBjaGFuZ2Ugb24gZWFjaCBob3N0LCBkb24n
dCBmb3JnZXQgdG8gcmVsb2FkIHRoZSAKPiA+IGNvbmZpZ3VyYXRpb24gd2l0aCBlaXRoZXIgYSBz
aWdodXAgb24gdGhlIGF1ZGl0ZCBwcm9jZXNzIG9yIGp1c3QgcmVzdGFydAo+ID4gdGhlIHNlcnZp
Y2UuCj4gCj4gT24gdGhlIGxhYi1jbGllbnRzIGVuZHM6Cj4gSW4sIGFuZCBPTkxZIElOLCBteSAv
ZXRjL2F1ZGlzcC9hdWRpc3BkLmNvbmYgZmlsZSBoYXZlIEkgc2V0Cj4gbmFtZV9mb3JtYXQ9aG9z
dG5hbWUsIHdoZXJlIGhvc3RuYW1lIGlzIGEgbGl0ZXJhbCBzdHJpbmcgb2YgJ2hvc3RuYW1lJyBu
b3QKPiBUSEUgaG9zdG5hbWU7IAoKVGhpcyBpcyBjb3JyZWN0LiBEaWQgeW91IHNldCByZW1vdGVf
c2VydmVyIGluIC9ldGMvYXVkaXNwL2F1ZGlzcC1yZW1vdGUuY29uZj8KCgo+IHRoZXJlIGlzIG5v
IG5hbWVfZm9ybWF0IHJlZmVyZW5jZSBpbiBhbnkgb3RoZXIgZmlsZSBvbiBteQo+IGxhYi1jbGll
bnQgbWFjaGluZXMgdW5kZXIgdGhlIGRpcmVjdG9yeSAvZXRjL2F1ZGlzcC8gYW55d2hlcmUuICBB
bHNvIG9uIG15Cj4gbGFiLWNsaWVudCBtYWNoaW5lcyBpbiB0aGUgL2V0Yy9hdWRpdC9hdWRpdGQu
Y29uZiBmaWxlIHRoZSBuYW1lX2Zvcm1hdAo+IHZhcmlhYmxlIGlzIHNldCB0byBOT05FLiAgCj4K
PiBPbiB0aGUgbGFiLXNlcnZlciBlbmQ6Cj4gSW4gdGhlIG9ubHkgZmlsZSB0aGF0IEkgbW9kaWZp
ZWQsIC9ldGMvYXVkaXQvYXVkaXRkLmNvbmYsIHRoZSBvbmx5IHZhcmlhYmxlcwo+IHRoYXQgSSBh
bHRlcmVkIHdlcmU6Cj4gdGNwX2xpc3Rlbl9wb3J0ICAgPSA2MAo+IHRjcF9jbGllbnRfcG9ydHMg
PSA2MAo+IHVzZV9saWJ3cmFwICAgICAgICAgPSBubyAgKGJlY2F1c2UgSSBhbSB1c2luZyBpcHRh
YmxlcykKCllvdSB3b3VsZCB3YW50IHRvIHNldCBuYW1lX2Zvcm1hdC4gVGhpcyB3YXkgdGhlIGxv
Y2FsIGV2ZW50cyBvbiB0aGUgCmFnZ3JlZ2F0aW5nIHNlcnZlciBoYXZlIHRoZSBzYW1lIGZvcm1h
dC4KCgogCj4gVGhlIGxhYiB3b3JrcyBhcyBleHBlY3RlZCwgYnV0IG15IHByb2R1Y3Rpb24gZW52
aXJvbm1lbnQgZG9lcyBub3QuICAlLS8KCkkgd291bGQgc3RhcnQgYnkgY2hlY2tpbmcgdGhhdCBl
dmVudHMgYXJlIGNvbWluZyBvdXQgb2YgdGhlIHJlbW90ZSBzeXN0ZW1zLiAKWW91IGNhbiB1c2Ug
dGNwZHVtcCBwb3J0IDYwIG9uIHRoZSBjbGllbnRzLiBBZnRlciBjb25maXJtaW5nIHRoYXQsIGRv
IHRoZSBzYW1lIApvbiB0aGUgc2VydmVyIHRvIHNlZSBpZiBldmVudHMgYXJlIGdldHRpbmcgdGhl
cmUuIFRoZW4gbG9vayBpbiBzeXNsb2cgZm9yIAphbnl0aGluZyB0aGF0IG1pZ2h0IGdpdmUgYSBj
bHVlLiBBbmQgdGhlbiB5b3UgY2FuIGFsc28gdGFpbCAtZiAKL3Zhci9sb2cvYXVkaXQvYXVkaXQu
bG9nIHRvIHNlZSBpZiB0aGluZ3MgYXJlIGdldHRpbmcgd3JpdHRlbiB0byBkaXNrLgoKLVN0ZXZl
CgotLQpMaW51eC1hdWRpdCBtYWlsaW5nIGxpc3QKTGludXgtYXVkaXRAcmVkaGF0LmNvbQpodHRw
czovL3d3dy5yZWRoYXQuY29tL21haWxtYW4vbGlzdGluZm8vbGludXgtYXVkaXQ=

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Warron S French <warron.s.french@aero.org>
Subject: RE: audit-tools and SUDO
Date: Tue, 10 May 2016 15:25:36 +0000
Message-ID: <BY1PR09MB088709DF1304A0853C895960C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<4636570.EUPpVmsaCN@x2>
	<BY1PR09MB088792A33B5B6AAFF5D8AE48C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<2247443.0y4SDndMu0@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2247443.0y4SDndMu0@x2>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

UmVwbGllcyBhcmUgaW5saW5lLgoKCgpXYXJyb24gRnJlbmNoLCBNQkEsIFNDU0EKCi0tLS0tT3Jp
Z2luYWwgTWVzc2FnZS0tLS0tCkZyb206IFN0ZXZlIEdydWJiIFttYWlsdG86c2dydWJiQHJlZGhh
dC5jb21dIApTZW50OiBUdWVzZGF5LCBNYXkgMTAsIDIwMTYgMTA6MzEgQU0KVG86IFdhcnJvbiBT
IEZyZW5jaCA8d2Fycm9uLnMuZnJlbmNoQGFlcm8ub3JnPgpDYzogbGludXgtYXVkaXRAcmVkaGF0
LmNvbTsgYnVybkBzd3RmLmR5bmRucy5vcmcKU3ViamVjdDogUmU6IGF1ZGl0LXRvb2xzIGFuZCBT
VURPCgpPbiBUdWVzZGF5LCBNYXkgMTAsIDIwMTYgMDE6NDQ6NTAgUE0gV2Fycm9uIFMgRnJlbmNo
IHdyb3RlOgo+ID4gPiBJIGhhdmUgdHdvIHByb2JsZW1zIHRob3VnaDsgYW5kIHRoZXkgc2VlbSBz
b21ld2hhdCBtaW5vcjoKPiA+ID4gCj4gPiA+IDEuICAgICAgVGhlIGF1ZGl0IGV2ZW50cyBiZWlu
ZyBjYXB0dXJlZCBkb27igJl0IHNlZW0gdG8gYmUgdGllZCB0byBhbnkKPiA+ID4gZ2l2ZW4gbm9k
ZSAoc28gdGhhdCBJIGNhbiBwZXJmb3JtIGF1c2VhcmNoIC0tbm9kZSBob3N0TmFtZSwgb3IgCj4g
PiA+IGF1cmVwb3J0KSwgdGhhdOKAmXMgdGhlIGZpcnN0IGlzc3VlLgo+ID4gCj4gPiAKPiA+IFdo
YXQgaGF2ZSB5b3Ugc2V0IHRoZSBjb25maWd1cmF0aW9uIHBhcmFtZXRlciAnbmFtZV9mb3JtYXQn
Cj4gPiBpbiAvZXRjL2F1ZGl0L2F1ZGl0ZC5jb25mIHRvPwo+ID4gCj4gPiBPbmUgYXNzdW1lcyB5
b3UgbWF5IHdhbnQgdG8gc2V0Cj4gPiBuYW1lX2Zvcm1hdCA9IGZxZAo+ID4gb3IKPiA+IG5hbWVf
Zm9ybWF0ID0gaG9zdG5hbWUKPiA+IAo+ID4gQWZ0ZXIgdGhlIGNoYW5nZSBvbiBlYWNoIGhvc3Qs
IGRvbid0IGZvcmdldCB0byByZWxvYWQgdGhlIAo+ID4gY29uZmlndXJhdGlvbiB3aXRoIGVpdGhl
ciBhIHNpZ2h1cCBvbiB0aGUgYXVkaXRkIHByb2Nlc3Mgb3IganVzdCAKPiA+IHJlc3RhcnQgdGhl
IHNlcnZpY2UuCj4gCj4gT24gdGhlIGxhYi1jbGllbnRzIGVuZHM6Cj4gSW4sIGFuZCBPTkxZIElO
LCBteSAvZXRjL2F1ZGlzcC9hdWRpc3BkLmNvbmYgZmlsZSBoYXZlIEkgc2V0IAo+IG5hbWVfZm9y
bWF0PWhvc3RuYW1lLCB3aGVyZSBob3N0bmFtZSBpcyBhIGxpdGVyYWwgc3RyaW5nIG9mICdob3N0
bmFtZScgCj4gbm90IFRIRSBob3N0bmFtZTsKClRoaXMgaXMgY29ycmVjdC4gRGlkIHlvdSBzZXQg
cmVtb3RlX3NlcnZlciBpbiAvZXRjL2F1ZGlzcC9hdWRpc3AtcmVtb3RlLmNvbmY/CgpcXFllcywg
dGhlIC9ldGMvYXVkaXNwL2F1ZGlzcC1yZW1vdGUuY29uZiBmaWxlIGRvZXMgaGF2ZSByZW1vdGVf
c2VydmVyID0gPG15U2VydmVyMT4uCgoKPiB0aGVyZSBpcyBubyBuYW1lX2Zvcm1hdCByZWZlcmVu
Y2UgaW4gYW55IG90aGVyIGZpbGUgb24gbXkgbGFiLWNsaWVudCAKPiBtYWNoaW5lcyB1bmRlciB0
aGUgZGlyZWN0b3J5IC9ldGMvYXVkaXNwLyBhbnl3aGVyZS4gIEFsc28gb24gbXkgCj4gbGFiLWNs
aWVudCBtYWNoaW5lcyBpbiB0aGUgL2V0Yy9hdWRpdC9hdWRpdGQuY29uZiBmaWxlIHRoZSBuYW1l
X2Zvcm1hdCAKPiB2YXJpYWJsZSBpcyBzZXQgdG8gTk9ORS4KPgo+IE9uIHRoZSBsYWItc2VydmVy
IGVuZDoKPiBJbiB0aGUgb25seSBmaWxlIHRoYXQgSSBtb2RpZmllZCwgL2V0Yy9hdWRpdC9hdWRp
dGQuY29uZiwgdGhlIG9ubHkgCj4gdmFyaWFibGVzIHRoYXQgSSBhbHRlcmVkIHdlcmU6Cj4gdGNw
X2xpc3Rlbl9wb3J0ICAgPSA2MAo+IHRjcF9jbGllbnRfcG9ydHMgPSA2MAo+IHVzZV9saWJ3cmFw
ICAgICAgICAgPSBubyAgKGJlY2F1c2UgSSBhbSB1c2luZyBpcHRhYmxlcykKCllvdSB3b3VsZCB3
YW50IHRvIHNldCBuYW1lX2Zvcm1hdC4gVGhpcyB3YXkgdGhlIGxvY2FsIGV2ZW50cyBvbiB0aGUg
YWdncmVnYXRpbmcgc2VydmVyIGhhdmUgdGhlIHNhbWUgZm9ybWF0LgoKXFxTbywgU3RldmUsIEkg
d2lsbCBzZXQgbmFtZV9mb3JtYXQsIG9uIHRoZSBzZXJ2ZXIsIHRvICdob3N0bmFtZScgZXhwbGlj
aXRseSB3aXRob3V0IHRoZSBxdW90ZXMgdGhlbiAtIHRoYW5rIHlvdS4KCiAKPiBUaGUgbGFiIHdv
cmtzIGFzIGV4cGVjdGVkLCBidXQgbXkgcHJvZHVjdGlvbiBlbnZpcm9ubWVudCBkb2VzIG5vdC4g
ICUtLwoKSSB3b3VsZCBzdGFydCBieSBjaGVja2luZyB0aGF0IGV2ZW50cyBhcmUgY29taW5nIG91
dCBvZiB0aGUgcmVtb3RlIHN5c3RlbXMuIApZb3UgY2FuIHVzZSB0Y3BkdW1wIHBvcnQgNjAgb24g
dGhlIGNsaWVudHMuIEFmdGVyIGNvbmZpcm1pbmcgdGhhdCwgZG8gdGhlIHNhbWUgCm9uIHRoZSBz
ZXJ2ZXIgdG8gc2VlIGlmIGV2ZW50cyBhcmUgZ2V0dGluZyB0aGVyZS4gVGhlbiBsb29rIGluIHN5
c2xvZyBmb3IgCmFueXRoaW5nIHRoYXQgbWlnaHQgZ2l2ZSBhIGNsdWUuIEFuZCB0aGVuIHlvdSBj
YW4gYWxzbyB0YWlsIC1mIAovdmFyL2xvZy9hdWRpdC9hdWRpdC5sb2cgdG8gc2VlIGlmIHRoaW5n
cyBhcmUgZ2V0dGluZyB3cml0dGVuIHRvIGRpc2suCgpcXCBTdGV2ZSwgSSBrbm93IHRoYXQgSSBh
bSByZWNlaXZpbmcgaW5wdXRzIHRvIHRoZSBzZXJ2ZXI7IGJlY2F1c2UgSSBjYW4gc2VlIGV2ZW50
cyB0aGF0IEkgYW0gcHVycG9zZWx5IHRyaWdnZXJpbmcgYmFzZWQgb24gMiBydWxlcyB0aGF0IEkg
YWRkZWQgYW5kIGtub3cgaG93IHRvIGNhdXNlIGFuIGV2ZW50OyBpdCBpcyBqdXN0IHRoYXQgdGhl
IG5vZGU9Y2xpZW50MSAoZm9yIGV4YW1wbGUpIGFyZW4ndCBiZWluZyBzZW50IGFsb25nIHdpdGgg
dGhlIGxpbmUgYmVpbmcgcmVjb3JkZWQuICBEb2VzIHRoaXMgdHJvdWJsZXNob290aW5nIHN0ZXAg
c3RpbGwgbWFrZSBzZW5zZSBhbnl3YXk/CgoKLVN0ZXZlCgotLQpMaW51eC1hdWRpdCBtYWlsaW5n
IGxpc3QKTGludXgtYXVkaXRAcmVkaGF0LmNvbQpodHRwczovL3d3dy5yZWRoYXQuY29tL21haWxt
YW4vbGlzdGluZm8vbGludXgtYXVkaXQ=

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit-tools and SUDO
Date: Tue, 10 May 2016 11:45:06 -0400
Message-ID: <3294586.6i81xjxGkV@x2>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<2247443.0y4SDndMu0@x2>
	<BY1PR09MB088709DF1304A0853C895960C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <BY1PR09MB088709DF1304A0853C895960C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Warron S French <warron.s.french@aero.org>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday, May 10, 2016 03:25:36 PM Warron S French wrote:
> > The lab works as expected, but my production environment does not.  %-/
> 
> I would start by checking that events are coming out of the remote systems. 
> You can use tcpdump port 60 on the clients. After confirming that, do the
> same on the server to see if events are getting there. Then look in syslog
> for anything that might give a clue. And then you can also tail -f
> /var/log/audit/audit.log to see if things are getting written to disk.
> 
> \\ Steve, I know that I am receiving inputs to the server; because I can see
> events that I am purposely triggering based on 2 rules that I added and
> know how to cause an event; it is just that the node=client1 (for example)
> aren't being sent along with the line being recorded.  Does this
> troubleshooting step still make sense anyway?

No. If you are getting events at the server and audispd.conf has name_format= 
hostname, it should be working.

If this was set after the audit daemon on the clients started, then you need 
to restart the audit daemon for the name to take effect. As written, it 
collects the name one time at start up and uses it in all future events. This 
could be changed but that is how its doing today.

If you restart auditd on a non-systemd OS, this will cause the admin's auid to 
get stuck into the audit daemon's task structure and will cause problems. So, 
the cleanest thing to do is reboot the work station so that audispd has the 
hostname and your auid is not in daemons.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Warron S French <warron.s.french@aero.org>
Subject: RE: audit-tools and SUDO
Date: Tue, 10 May 2016 17:46:14 +0000
Message-ID: <BY1PR09MB0887CC7F1EA56E5E74CDA414C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
References: <BY1PR09MB088756540EEFEFF5B6F54862C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<2247443.0y4SDndMu0@x2>
	<BY1PR09MB088709DF1304A0853C895960C7710@BY1PR09MB0887.namprd09.prod.outlook.com>
	<3294586.6i81xjxGkV@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <3294586.6i81xjxGkV@x2>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

OK, thank you.
I will do/try that and see if it makes a difference and then report-back to close out this thread.



Thanks Steve,
Warron French, MBA, SCSA

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Tuesday, May 10, 2016 11:45 AM
To: Warron S French <warron.s.french@aero.org>
Cc: linux-audit@redhat.com
Subject: Re: audit-tools and SUDO

On Tuesday, May 10, 2016 03:25:36 PM Warron S French wrote:
> > The lab works as expected, but my production environment does not.  
> > %-/
> 
> I would start by checking that events are coming out of the remote systems. 
> You can use tcpdump port 60 on the clients. After confirming that, do 
> the same on the server to see if events are getting there. Then look 
> in syslog for anything that might give a clue. And then you can also 
> tail -f /var/log/audit/audit.log to see if things are getting written to disk.
> 
> \\ Steve, I know that I am receiving inputs to the server; because I 
> can see events that I am purposely triggering based on 2 rules that I 
> added and know how to cause an event; it is just that the node=client1 
> (for example) aren't being sent along with the line being recorded.  
> Does this troubleshooting step still make sense anyway?

No. If you are getting events at the server and audispd.conf has name_format= hostname, it should be working.

If this was set after the audit daemon on the clients started, then you need to restart the audit daemon for the name to take effect. As written, it collects the name one time at start up and uses it in all future events. This could be changed but that is how its doing today.

If you restart auditd on a non-systemd OS, this will cause the admin's auid to get stuck into the audit daemon's task structure and will cause problems. So, the cleanest thing to do is reboot the work station so that audispd has the hostname and your auid is not in daemons.

-Steve