From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
Subject: RE: How to make sure a specific event is logged with thge proper
	message type?
Date: Mon, 6 Jul 2015 15:08:12 +0000
Message-ID: <4c840ecade994277bfdf313c6edcc6d3@XCGVAG30.northgrum.com>
References: <23396023F719ED41888885C3B22D602F0154BB@WPEXCH2010MR11.bur.hydro.qc.ca>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1764118002276659168=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.30])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id t66FACOf021928
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 6 Jul 2015 11:10:12 -0400
Received: from xspv0103.northgrum.com (xspv0103.northgrum.com [134.223.120.78])
	by mx1.redhat.com (Postfix) with ESMTPS id B7FC8389DBD
	for <linux-audit@redhat.com>; Mon,  6 Jul 2015 15:10:09 +0000 (UTC)
In-Reply-To: <23396023F719ED41888885C3B22D602F0154BB@WPEXCH2010MR11.bur.hydro.qc.ca>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Alarie, Maxime" <Alarie.Maxime@hydro.qc.ca>, "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============1764118002276659168==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_4c840ecade994277bfdf313c6edcc6d3XCGVAG30northgrumcom_"

--_000_4c840ecade994277bfdf313c6edcc6d3XCGVAG30northgrumcom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

OK this may be obvious but have you actually tried using useradd to create =
an account before running your ausearch?

From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com=
] On Behalf Of Alarie, Maxime
Sent: Monday, July 06, 2015 10:03 AM
To: linux-audit@redhat.com
Subject: EXT :How to make sure a specific event is logged with thge proper =
message type?

Hi,

I have this rule in audit.rules : -w /usr/sbin/useradd -p x -k user_modific=
ation

When I add a user, and do a ausearch -m ADD_USER   I get 0 match.  Am I doi=
ng something wrong here?  I am using version 1.8.




Thanks


--_000_4c840ecade994277bfdf313c6edcc6d3XCGVAG30northgrumcom_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">OK this may be obvious=
 but have you actually tried using useradd to create an account before runn=
ing your ausearch?<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p>&nbsp;</o:p></spa=
n></p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> linux-au=
dit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
<b>On Behalf Of </b>Alarie, Maxime<br>
<b>Sent:</b> Monday, July 06, 2015 10:03 AM<br>
<b>To:</b> linux-audit@redhat.com<br>
<b>Subject:</b> EXT :How to make sure a specific event is logged with thge =
proper message type?<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">Hi,<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">I have this rule in audit.rules=
&nbsp;: -w /usr/sbin/useradd -p x -k user_modification<o:p></o:p></span></p=
>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA">When I add a user, and do a aus=
earch &#8211;m ADD_USER&nbsp;&nbsp; I get 0 match.&nbsp; Am I doing somethi=
ng wrong here?&nbsp; I am using version 1.8.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA" style=3D"mso-fareast-language:F=
R-CA"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA" style=3D"mso-fareast-language:F=
R-CA"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA" style=3D"font-family:&quot;Verd=
ana&quot;,&quot;sans-serif&quot;;color:#1F497D;mso-fareast-language:FR-CA">=
<br>
</span><span lang=3D"EN-CA">Thanks<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-CA"><o:p>&nbsp;</o:p></span></p>
</div>
</body>
</html>

--_000_4c840ecade994277bfdf313c6edcc6d3XCGVAG30northgrumcom_--


--===============1764118002276659168==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1764118002276659168==--