Beginner question

Bryan Harris bryanlharris at gmail.com
Mon Apr 18 16:52:50 UTC 2016 

Hi Steve,

Thanks for your help.  I will see about getting this into my RHEL6
system one way or another.

V/r,
Bryan

On Mon, Apr 18, 2016 at 12:31 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, April 14, 2016 08:27:04 AM Bryan Harris wrote:
>> Okay here goes.  I must have a simple misunderstanding or I may be
>> doing something wrong.
>>
>> When I do the below three commands the auid shown back to me is not
>> the same from all the commands, but it's the same event.  In the first
>> aureport I'm getting back an auid of zero for root.  In the second
>> aureport I get back my teammate's auid.  Also in the ausearch for the
>> specific event I get my teammate's auid.  I would expect my teammate's
>> auid across all but that's not what I see.
>>
>> It seems the first aureport replaces the auid with uid.
>
> This is correct and its a bug. This was fixed in the 2.4.1 release of the audit
> package.
>
> https://fedorahosted.org/audit/changeset/1047
>
> -Steve
>
>> Can anyone point me in the right direction to get my expected results
>> working?  I'm happy to share audit.rules and/or PAM configuration,
>> although they appear to be the result of someone following the
>> standard security guidelines.
>>
>> The Red Hat support people have pointed me to "⁠Chapter 7. System
>> Auditing" which I am happy to read.  However, I already stumbled upon
>> "7.8. Creating Audit Reports" and I didn't see anything that helped me
>> out.
>>
>> Here are the commands.
>>
>> $ sudo aureport -l -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>>
>> Login Report
>> ============================================
>> # date time auid host term exe success event
>> ============================================
>> 1. 04/13/2016 17:02:06 0 10.120.1.235 /dev/pts/2 /usr/sbin/sshd yes 1972315
>>
>> $ sudo aureport -l --summary -ts 04/13/2016 17:02:06 -te 04/13/2016 17:02:06
>>
>> Login Summary Report
>> ============================
>> total  auid
>> ============================
>> 1  849603
>>
>> $ sudo ausearch --message USER_LOGIN -ts 04/13/2016 17:02:06 -te
>> 04/13/2016 17:02:06
>> ----
>> time->Wed Apr 13 17:02:06 2016
>> type=USER_LOGIN msg=audit(1460581326.375:1972315): user pid=29792
>> uid=0 auid=849603 ses=4572
>> subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=849603
>> exe="/usr/sbin/sshd" hostname=10.120.1.235 addr=10.120.1.235
>> terminal=/dev/pts/2 res=success'
>

More information about the Linux-audit mailing list