ausearch with message types does not return what I think it would return. (0 matches when adding a user)
Steve Grubb
sgrubb at redhat.com
Tue Jun 30 15:22:17 UTC 2015
On Tuesday, June 30, 2015 03:12:40 PM Alarie, Maxime wrote:
> I am new with auditd, and got some issues..
>
> For example, When I add or delete a user, I cannot see the entry with
> ausearch -m ADD_USER, it returns 0 match, BUT its logging it under
> USER_AUTH. If I do a ausearch -x adduser, ill thee se event audit.log with
> the EXECVE Type:
>
> # ausearch -x useradd | grep titi
> type=EXECVE msg=audit(1435677075.900:49410): argc=2 a0="useradd" a1="titi"
>
> I also tried to find a full description of all message types returned by
> ausearch -m but could not find any.. Any help on this would be
> appreciated as well.
I think we discovered that shadow-utils had messed up the auditing pretty
badly a few months ago. It caused me to write a document[1] that outlines how
its supposed to work so that we can check any and all implementations to make
sure they follow the standard. The shadow-utils in RHEL7.1 was patched to be
correct and I presume the patch should be upstream by now.
So, I believe that is what you are seeing. Shadow-utils is a horrible piece of
code for auditing because there are about 320 places that have audit events
generated. I think upstream made it a little better, but its a huge problem
because all those events have to be correct...and they weren't.
-Steve
[1] - http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt
More information about the Linux-audit
mailing list