ausearch errors (audit 0.8)
Steve Grubb
sgrubb at redhat.com
Fri May 13 21:16:31 UTC 2005
On Friday 13 May 2005 16:34, Daniel H. Jones wrote:
> ausearch -p 0 returns records that do not have a pid of 0.
It turns out I was init'ing the structure to 0 and changing it as I parsed.
If there was no change, it was still zero. Its fixed now, Thanks.
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> ausearch -ul 0 returns records that do not have a login uid of 0.
Same
> ausearch -ua xxx does not find records with a uid or effective uid of xxx.
It was "anding" the uid's in the search. They should be or'ed. Will fix.
Thanks.
> ausearch -x /bin/chmod does not find records containing the executable
> name.
>
>type=USER msg=audit(1116014701.834:0): user pid=7653 uid=0 length=132
>loginuid=503 msg='PAM session open: user=ausrch_u exe=/usr/sbin/sshd
>(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh
>result=Success)'
pam has to be modified to escape the exe name. It should be out next week. Pam
needs work to update to the new message types in addition.
-Steve
More information about the Linux-audit
mailing list