From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Beginner question
Date: Mon, 18 Apr 2016 12:31:54 -0400 [thread overview]
Message-ID: <97412449.buIX4bphSG@x2> (raw)
In-Reply-To: <CAJ00z7CtA_zAsnLE=o3oskPoQKBuaDmXjJcf6C-0QJGZpzShdg@mail.gmail.com>
On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
> Okay here goes. I must have a simple misunderstanding or I may be
> doing something wrong.
>
> When I do the below three commands the auid shown back to me is not
> the same from all the commands, but it's the same event. In the first
> aureport I'm getting back an auid of zero for root. In the second
> aureport I get back my teammate's auid. Also in the ausearch for the
> specific event I get my teammate's auid. I would expect my teammate's
> auid across all but that's not what I see.
>
> It seems the first aureport replaces the auid with uid.
This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
package.
https://fedorahosted.org/audit/changeset/1047
-Steve
> Can anyone point me in the right direction to get my expected results
> working? I'm happy to share audit.rules and/or PAM configuration,
> although they appear to be the result of someone following the
> standard security guidelines.
>
> The Red Hat support people have pointed me to "Chapter 7. System
> Auditing" which I am happy to read. However, I already stumbled upon
> "7.8. Creating Audit Reports" and I didn't see anything that helped me
> out.
>
> Here are the commands.
>
> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Report
> ============================================
> # date time auid host term exe success event
> ============================================
> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
>
> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Summary Report
> ============================
> total auid
> ============================
> 1 849603
>
> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
> 04/13/2016 17:02:06
> ----
> time->Wed Apr 13 17:02:06 2016
> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
> uid=0 auid=849603 ses=4572
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
> terminal=/dev/pts/2 res=success'
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2016-04-18 16:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-14 12:27 Beginner question Bryan Harris
2016-04-18 16:31 ` Steve Grubb [this message]
2016-04-18 16:52 ` Bryan Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97412449.buIX4bphSG@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.