Audit 2.0.4 auid issue

Eric Patate flatplane55 at gmail.com
Thu Jun 3 08:46:03 UTC 2010 

Hello,



I would like to configure auditd to only log events issued by some users
acting as root after a 'sudo su -'



Unfortunately, after the user system makes a "sudo su -" the ids of user are
the same as root.



Heres is the log of the command date issued by the user "system" uid 500





May 27 10:20:36 doma audispd: node=doma type=SYSCALL
msg=audit(1274948436.000:57884): arch=c000003e syscall=59 success=yes exit=0
a0=6cf250 a1=6cf730 a2=6cf510 a3=0 items=2 ppid=26772 pid=27006
auid=4294967295 uid=1000 gid=19 euid=1000 suid=1000 fsuid=1000 egid=19
sgid=19 fsgid=19 tty=tty1 comm="date" exe="/bin/date" key=(null)

May 27 10:20:36 doma audispd: node=doma type=EXECVE
msg=audit(1274948436.000:57884): a0="date"

May 27 10:20:36 doma audispd: node=doma type=PATH
msg=audit(1274948436.000:57884): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00





Here's the same report of the date command after the user "system" changed
its id using sudo su - :



May 27 10:22:13 doma audispd: node=doma type=SYSCALL
msg=audit(1274948533.407:58095): arch=c000003e syscall=59 success=yes exit=0
a0=6d4b20 a1=6d4ff0 a2=6d4de0 a3=0 items=2 ppid=27175 pid=27181
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty1 comm="date" exe="/bin/date" key=(null)

May 27 10:22:13 doma audispd: node=doma type=EXECVE
msg=audit(1274948533.407:58095): a0="date"

May 27 10:22:13 doma audispd: node=doma type=PATH
msg=audit(1274948533.407:58095): item=0 name="/bin/date" inode=48341
dev=fd:60 mode=0100755 ouid=0 ogid=0 rdev=00:00



Any idea for me to idendify the primary login user for one specific command
?



At first I've though it was auid but its value is always set at 4294967295



I've also searched for logging commands specifics to a TTY but it seems
auditd cannot filter on one specific TTY.



I've compiled and run audit on our own version of linux.



Regards



FP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20100603/a8357392/attachment.htm>

More information about the Linux-audit mailing list