From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: RE: questions about auditing on a new RH 6 box
Date: Fri, 14 Jan 2011 12:39:26 -0600
Message-ID: <1295030366.2041.46.camel@lcb>
References: <BF796A1F2058044191F8440424A4212E01A64B47@enid.usno.navy.mil>
	<1295023346.15499.1.camel@localhost.localdomain>
	<BF796A1F2058044191F8440424A4212E01A64C0A@enid.usno.navy.mil>
	<1295026506.2041.19.camel@lcb>
	<BF796A1F2058044191F8440424A4212E01A64C8C@enid.usno.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com
	[10.5.110.9])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id p0EIdrW9012331
	for <linux-audit@redhat.com>; Fri, 14 Jan 2011 13:39:53 -0500
Received: from webserver.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id p0EIdWNo025850
	for <linux-audit@redhat.com>; Fri, 14 Jan 2011 13:39:33 -0500
In-Reply-To: <BF796A1F2058044191F8440424A4212E01A64C8C@enid.usno.navy.mil>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Tangren, Bill" <bill.tangren@usno.navy.mil>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
> 
> There are LOTS of the following:
> 
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
> 
> There are also some like this, but syscall=open instead.
> 
> 
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account. 
> 

Well, herein lies the rub...the audit rules you have in place are doing
their job.
:)

The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.

Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary

Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd


You will likely want to use aureport/ausearch just because they are
faster than the audit-viewer. But it is possible to use it...

HTH,
LCB