ausearch errors (audit 0.8)

Daniel H. Jones hotrats at us.ibm.com
Fri May 13 20:34:10 UTC 2005 

I'm running kernel.35 with the audit 0.8 package and I see these problems.

 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -p 0 returns records that do not have a pid of 0.
----
time->Fri May 13 15:06:59 2005
type=CONFIG_CHANGE msg=audit(1116014819.245:0): audit_enabled=1 old=1 by 
auid 4294967295
----
time->Fri May 13 15:06:59 2005
type=CONFIG_CHANGE msg=audit(1116014819.457:0): audit_backlog_limit=256 
old=256 by auid 4294967295
----
time->Fri May 13 15:07:11 2005
type=CONFIG_CHANGE msg=audit(1116014831.958:0): auid 4294967295 added an 
audit rule

 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -ul 0 returns records that do not have a login uid of 0.
type=DAEMON_START msg=audit(1116014676.856:314) auditd start, ver=0.8, 
format=raw, uid=0  auditd pid=7489
type=CONFIG_CHANGE msg=audit(1116014677.059:0): audit_enabled=1 old=1 by 
auid 0
type=CONFIG_CHANGE msg=audit(1116014677.271:0): audit_backlog_limit=256 
old=256 by auid 0
type=CONFIG_CHANGE msg=audit(1116014679.581:0): auid 0 added an audit rule
type=DAEMON_END msg=audit(1116014685.651:315) auditd normal halt, 
sending pid=7503 uid=0  auditd pid=7489

 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -ua xxx does not find records with a uid or effective uid of xxx.

 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -x /bin/chmod does not find records containing the executable name.

 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -ul 4294967295 returns records that do not match the login uid.
type=DAEMON_START msg=audit(1116014693.044:454) auditd start, ver=0.8, 
format=raw, uid=0  auditd pid=7640
type=CONFIG_CHANGE msg=audit(1116014693.256:0): auid 0 removed an audit rule
type=CONFIG_CHANGE msg=audit(1116014693.249:0): audit_enabled=1 old=1 by 
auid 0
type=CONFIG_CHANGE msg=audit(1116014693.664:0): audit_backlog_limit=256 
old=256 by auid 0
type=LOGIN msg=audit(1116014701.630:0): login pid=7653 uid=0 old 
loginuid=4294967295 new loginuid=503
type=USER msg=audit(1116014701.834:0): user pid=7653 uid=0 length=132 
loginuid=503 msg='PAM session open: user=ausrch_u exe=/usr/sbin/sshd 
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh 
result=Success)'
type=DAEMON_END msg=audit(1116014715.222:455) auditd normal halt, 
sending pid=7684 uid=0  auditd pid=7640


-- 
Thanks,
Dan Jones
IBM Linux Technology Center, Security
512-838-1794 (T/L 678-1794)
hotrats at us.ibm.com

More information about the Linux-audit mailing list