From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Beginner question
Date: Mon, 18 Apr 2016 12:31:54 -0400 [thread overview]
Message-ID: <97412449.buIX4bphSG@x2> (raw)
In-Reply-To: <CAJ00z7CtA_zAsnLE=o3oskPoQKBuaDmXjJcf6C-0QJGZpzShdg@mail.gmail.com>
On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
> Okay here goes. I must have a simple misunderstanding or I may be
> doing something wrong.
>
> When I do the below three commands the auid shown back to me is not
> the same from all the commands, but it's the same event. In the first
> aureport I'm getting back an auid of zero for root. In the second
> aureport I get back my teammate's auid. Also in the ausearch for the
> specific event I get my teammate's auid. I would expect my teammate's
> auid across all but that's not what I see.
>
> It seems the first aureport replaces the auid with uid.
This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
package.
https://fedorahosted.org/audit/changeset/1047
-Steve
> Can anyone point me in the right direction to get my expected results
> working? I'm happy to share audit.rules and/or PAM configuration,
> although they appear to be the result of someone following the
> standard security guidelines.
>
> The Red Hat support people have pointed me to "Chapter 7. System
> Auditing" which I am happy to read. However, I already stumbled upon
> "7.8. Creating Audit Reports" and I didn't see anything that helped me
> out.
>
> Here are the commands.
>
> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Report
> ============================================
> # date time auid host term exe success event
> ============================================
> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
>
> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>
> Login Summary Report
> ============================
> total auid
> ============================
> 1 849603
>
> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
> 04/13/2016 17:02:06
> ----
> time->Wed Apr 13 17:02:06 2016
> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
> uid=0 auid=849603 ses=4572
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
> terminal=/dev/pts/2 res=success'
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2016-04-18 16:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-14 12:27 Beginner question Bryan Harris
2016-04-18 16:31 ` Steve Grubb [this message]
2016-04-18 16:52 ` Bryan Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97412449.buIX4bphSG@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox