Beginner question

Steve Grubb sgrubb at redhat.com
Mon Apr 18 16:31:54 UTC 2016 

On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
> Okay here goes.  I must have a simple misunderstanding or I may be
> doing something wrong.
> 
> When I do the below three commands the auid shown back to me is not
> the same from all the commands, but it's the same event.  In the first
> aureport I'm getting back an auid of zero for root.  In the second
> aureport I get back my teammate's auid.  Also in the ausearch for the
> specific event I get my teammate's auid.  I would expect my teammate's
> auid across all but that's not what I see.
> 
> It seems the first aureport replaces the auid with uid.

This is correct and its a bug. This was fixed in the 2.4.1 release of the audit 
package.

https://fedorahosted.org/audit/changeset/1047

-Steve
 
> Can anyone point me in the right direction to get my expected results
> working?  I'm happy to share audit.rules and/or PAM configuration,
> although they appear to be the result of someone following the
> standard security guidelines.
> 
> The Red Hat support people have pointed me to "⁠Chapter 7. System
> Auditing" which I am happy to read.  However, I already stumbled upon
> "7.8. Creating Audit Reports" and I didn't see anything that helped me
> out.
> 
> Here are the commands.
> 
> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
> 
> Login Report
> ============================================
> # date time auid host term exe success event
> ============================================
> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
> 
> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
> 
> Login Summary Report
> ============================
> total  auid
> ============================
> 1  849603
> 
> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
> 04/13/2016 17:02:06
> ----
> time->Wed Apr 13 17:02:06 2016
> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
> uid=0 auid=849603 ses=4572
> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
> terminal=/dev/pts/2 res=success'

More information about the Linux-audit mailing list