How to make sure a specific event is logged with thge proper message type?

How to make sure a specific event is logged with thge proper message type?

[Alarie, Maxime]

[-- Attachment #1.1: Type: text/plain, Size: 235 bytes --]

Hi,

I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modification

When I add a user, and do a ausearch -m ADD_USER   I get 0 match.  Am I doing something wrong here?  I am using version 1.8.




Thanks


[-- Attachment #1.2: Type: text/html, Size: 2799 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: How to make sure a specific event is logged with thge proper message type?

[Boyce, Kevin P (AS)]

[-- Attachment #1.1: Type: text/plain, Size: 618 bytes --]

OK this may be obvious but have you actually tried using useradd to create an account before running your ausearch?

From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Alarie, Maxime
Sent: Monday, July 06, 2015 10:03 AM
To: linux-audit@redhat.com
Subject: EXT :How to make sure a specific event is logged with thge proper message type?

Hi,

I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modification

When I add a user, and do a ausearch -m ADD_USER   I get 0 match.  Am I doing something wrong here?  I am using version 1.8.




Thanks


[-- Attachment #1.2: Type: text/html, Size: 3834 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: How to make sure a specific event is logged with thge proper message type?

[Alarie, Maxime]

[-- Attachment #1.1: Type: text/plain, Size: 1151 bytes --]

Thanks for the reply.

Of course :)  I also  tried DEL_USER on a deleted user, and nothing gets logged under that  type, also I never get the hostname and addr fileds filled up..  Its always  hostname=? And addr=?

Help is aprecited.


De : Boyce, Kevin P (AS) [mailto:Kevin.Boyce@ngc.com]
Envoyé : 6 juillet 2015 11:08
À : Alarie, Maxime; linux-audit@redhat.com
Objet : RE: How to make sure a specific event is logged with thge proper message type?

OK this may be obvious but have you actually tried using useradd to create an account before running your ausearch?

From: linux-audit-bounces@redhat.com<mailto:linux-audit-bounces@redhat.com> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Alarie, Maxime
Sent: Monday, July 06, 2015 10:03 AM
To: linux-audit@redhat.com<mailto:linux-audit@redhat.com>
Subject: EXT :How to make sure a specific event is logged with thge proper message type?

Hi,

I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modification

When I add a user, and do a ausearch -m ADD_USER   I get 0 match.  Am I doing something wrong here?  I am using version 1.8.




Thanks


[-- Attachment #1.2: Type: text/html, Size: 6792 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: How to make sure a specific event is logged with thge proper message type?

[Steve Grubb]

On Monday, July 06, 2015 02:02:32 PM Alarie, Maxime wrote:
> Hi,
> 
> I have this rule in audit.rules : 
> -w /usr/sbin/useradd -p x -k user_modification

Note that this rule will create a SYSCALL event. To find it later, you would 
run:

ausearch --start today -k user_modification


> When I add a user, and do a ausearch -m ADD_USER   I get 0 match.  Am I
> doing something wrong here?  I am using version 1.8.

This event is a user space originating event and it depends on shadow-utils 
being correctly patched to generate the events specified in:

http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt

If it doesn't, you should file a bug report against the shadow-utils package of 
your distribution so that they know about the issue.

-Steve