RHEL 5 audit events

[Steve Grubb]

On Tuesday 21 August 2007 09:52:03 Steve Grubb wrote:
> > 1. su - "non_existent_account". Using the nispom.rules provided by
> > audit 1.5.6-1. Using various ausearch parameters, am unable to find a
> > corresponding failure when attempting to "su" to a non-existent
> > account.

On second thought...you were asking about su. This app has not been patched 
for auditing...although I think it should be. In the meantime, you can put a 
watch on the app:

-w /bin/su -p x -k su-used

[sgrubb src]$ su - badacct
su: user badacct does not exist

[root ~]# ausearch --start recent -k su-used -i
----
type=PATH msg=audit(08/21/2007 10:06:49.166:382) : item=1 name=(null) 
inode=13107250 dev=08:08 mode=file,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(08/21/2007 10:06:49.166:382) : item=0 name=/bin/su 
inode=24641546 dev=08:08 mode=file,suid,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:su_exec_t:s0 
type=CWD msg=audit(08/21/2007 10:06:49.166:382) :  
cwd=/home/sgrubb/working/BUILD/coreutils-5.97/src 
type=EXECVE msg=audit(08/21/2007 10:06:49.166:382) : a0="su" a1="-" 
a2="badacct" 
type=SYSCALL msg=audit(08/21/2007 10:06:49.166:382) : arch=x86_64 
syscall=execve success=yes exit=0 a0=18172cd0 a1=18186460 a2=18192880 a3=8 
items=2 ppid=6092 pid=6443 auid=sgrubb uid=sgrubb gid=sgrubb euid=root 
suid=root fsuid=root egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=pts1 comm=su 
exe=/bin/su subj=user_u:system_r:unconfined_t:s0 key="su-used"

Hope this helps....

-Steve