From: Joshua Roys <joshua.roys@gtri.gatech.edu>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: ausearch discrepancies?
Date: Fri, 5 Jun 2009 07:53:09 -0400 [thread overview]
Message-ID: <4A290725.3020202@gtri.gatech.edu> (raw)
In-Reply-To: <1244162237.31664.477.camel@homeserver>
On 06/04/2009 08:37 PM, LC Bruzenak wrote:
> F10, audit-1.7.12
>
> [root@slim ~]# ausearch -i -ts yesterday -te yesterday | grep "node=" |
> tail
> ...
>
> node=slim type=PATH msg=audit(06/03/2009 19:11:29.348:2884) : item=0
> name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
> mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
> obj=system_u:object_r:mozilla_home_t:s0
> node=slim type=CWD msg=audit(06/03/2009 19:11:29.348:2884) :
> cwd=/home/lcb
> node=slim type=SYSCALL msg=audit(06/03/2009 19:11:29.348:2884) :
> arch=x86_64 syscall=unlink success=yes exit=0 a0=2bb999c a1=2bb999c a2=0
> a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
> euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
> comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
> subj=user_u:user_r:user_t:s0 key=delete
>
> The results end with the above record.
>
> Then:
> [root@slim ~]# ausearch -i -ts yesterday | grep "node=" | less
> ...
> node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
> name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=
> 542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
> obj=system_u:object_r:mozilla_home_t:s0
> node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
> cwd=/home/lcb
> node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
> arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=
> 36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb
> gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lc
> b fsgid=lcb tty=(none) ses=1 comm=firefox
> exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0
> key=delete
> node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
> arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acb
> b60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset
> uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=n
> tp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
> subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-ch
> ange
> node=slim type=USER_ACCT msg=audit(06/04/2009 00:01:01.716:3013) : user
> pid=14269 uid=root auid=unset ses=4294967295 subj=sys
> tem_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct=root
> exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cro
> n res=success)'
>
> This shows plenty of events after the 19:11 event shown.
> Any ideas?
>
> # date
> Thu Jun 4 19:29:10 CDT 2009
>
> Reading the manpage is a little confusing on the -ts and -te meanings.
> I'm not sure I agree with the way it is stated, regardless the behavior
> above appears wrong ... but this appears to work correctly:
>
> ausearch -ts 06/03/2009 00:00:00 -te 06/03/2009 23:59:59 -i | grep
> "node=" | tail
> ...
> node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0
> name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00
> mode=dir,700 ouid=lcb ogid=lcb rdev=00:00
> obj=system_u:object_r:mozilla_home_t:s0
> node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) :
> cwd=/home/lcb
> node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) :
> arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=36763bc a2=0
> a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb
> euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1
> comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox
> subj=user_u:user_r:user_t:s0 key=delete
> node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) :
> arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acbb60 a1=5
> a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp
> euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none)
> ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd
> subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-change
>
>
>
> Thx,
> LCB.
>
Yep, the man page says that if you don't specify the time (and by time,
it means the hh:mm:ss part of the date-time) it chooses now.
-te, --end [end-date] [end-time]
Search for events with time stamps equal to or before
the given end time. The format of end time depends on your locale. If
the date is omitted,
today is assumed. *If the time is omitted, now is
assumed.* Use 24 hour clock time rather than AM or PM to specify
time. An example date is
10/24/2005. An example of time is 18:00:00.
Joshua Roys
next prev parent reply other threads:[~2009-06-05 11:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-05 0:37 ausearch discrepancies? LC Bruzenak
2009-06-05 11:53 ` Joshua Roys [this message]
2009-06-05 12:38 ` LC Bruzenak
2009-06-05 15:32 ` Steve Grubb
2009-06-05 15:42 ` LC Bruzenak
2009-06-05 15:53 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A290725.3020202@gtri.gatech.edu \
--to=joshua.roys@gtri.gatech.edu \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox