Need help, we are receiving type=SYSCALL with auid=unset event entries

Need help, we are receiving type=SYSCALL with auid=unset event entries

[Briane Lin]

[-- Attachment #1.1: Type: text/plain, Size: 480 bytes --]

We are receiving LINUX RHEL versions 5 and 6 in our environment with 
type=SYSCALL and auid=unset event types.

We are unable to properly monitor an event with AUID=unset, does anyone 
know why we are currently seeing these and what is the resolution?

Thanks!

Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin@us.ibm.com
(Office): (720) 395-2049

"The only easy day was yesterday." 
     - US Navy Seals -


[-- Attachment #1.2: Type: text/html, Size: 911 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Need help, we are receiving type=SYSCALL with auid=unset event entries

[Steve Grubb]

On Tuesday, June 03, 2014 01:28:40 PM Briane Lin wrote:
> We are unable to properly monitor an event with AUID=unset, does anyone 
> know why we are currently seeing these and what is the resolution?

If you have an unset auid and its supposed to be meaningful, then the way that 
people are logging in does not set the auid. This can be done in entrypoint 
software by calling audit_setloginuid(). Pam has coding examples.

-Steve

RE: EXT :Need help, we are receiving type=SYSCALL with auid=unset event entries

[Briane Lin]

[-- Attachment #1.1.1: Type: text/plain, Size: 1530 bytes --]

Thanks Kevin.

The systems are at RHEL server release 6.5 (Santiago)

audit.conf and audit.rules shown below from two systems.


 
 


 



 
 


 



Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin@us.ibm.com
(Office): (720) 395-2049

"The only easy day was yesterday." 
     - US Navy Seals -





From:   "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
To:     Briane Lin/Phoenix/IBM@IBMUS
Date:   06/04/2014 07:00 AM
Subject:        RE: EXT :Need help, we are receiving type=SYSCALL with 
auid=unset event entries



You might get some better help if you can be a bit more specific.
What version of auditd, kernel, etc. are you running?
What do the contents of your audit.rules and auditd.conf files look like?
 
 
 
From: linux-audit-bounces@redhat.com [
mailto:linux-audit-bounces@redhat.com] On Behalf Of Briane Lin
Sent: Tuesday, June 03, 2014 4:29 PM
To: linux-audit@redhat.com
Subject: EXT :Need help, we are receiving type=SYSCALL with auid=unset 
event entries
 
We are receiving LINUX RHEL versions 5 and 6 in our environment with 
type=SYSCALL and auid=unset event types. 

We are unable to properly monitor an event with AUID=unset, does anyone 
know why we are currently seeing these and what is the resolution? 

Thanks! 

Briane Lin 
IBM Global Technology Services - Americas 
Identity and Access Management, Automation Solutions
(Email): brlin@us.ibm.com 
(Office): (720) 395-2049 

"The only easy day was yesterday." 
    - US Navy Seals - 

[-- Attachment #1.1.2: Type: text/html, Size: 5858 bytes --]

[-- Attachment #1.2: Type: image/jpeg, Size: 40899 bytes --]

[-- Attachment #1.3: Type: image/jpeg, Size: 46271 bytes --]

[-- Attachment #1.4: Type: image/jpeg, Size: 44700 bytes --]

[-- Attachment #1.5: Type: image/jpeg, Size: 37978 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]