questions about auditing on a new RH 6 box
Tangren, Bill
bill.tangren at usno.navy.mil
Fri Jan 14 19:04:46 UTC 2011
-----Original Message-----
From: LC Bruzenak [mailto:lenny at magitekltd.com]
Sent: Friday, January 14, 2011 1:39 PM
To: Tangren, Bill
Cc: linux-audit at redhat.com
Subject: RE: questions about auditing on a new RH 6 box
On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
>
> There are LOTS of the following:
>
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
>
> There are also some like this, but syscall=open instead.
>
>
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account.
>
Well, herein lies the rub...the audit rules you have in place are doing
their job.
:)
The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.
Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary
Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd
^^^^^^^^^^^^^^^^
These are the top results for the ausearch command given above:
930 /usr/lib64/esc-1.1.0/escd
82 /usr/libexec/abrt-hook-ccpp
44 /usr/sbin/sshd
43 /usr/sbin/crond
41 /usr/sbin/usermod
34 /sbin/unix_chkpwd
31 /usr/bin/sudo
24 /bin/ls
22 /usr/sbin/abrtd (deleted)
21 /usr/sbin/httpd
17 /usr/libexec/openssh/sftp-server
15 /bin/su
14 /usr/libexec/gnome-screensaver-dialog
14 /usr/sbin/cupsd
OK. It appears that the RH smart card reader software is doing this, which is odd, considering I'm not using a smart card right now. I'll disable it (for now) and see what happens. But I'm going to want it working eventually.
Bill
More information about the Linux-audit
mailing list