[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: questions about auditing on a new RH 6 box




-----Original Message-----
From: LC Bruzenak [mailto:lenny magitekltd com] 
Sent: Friday, January 14, 2011 12:35 PM
To: Tangren, Bill
Cc: linux-audit redhat com
Subject: RE: questions about auditing on a new RH 6 box

Probably can use a sampling of events as well.

LCB

-- 
LC (Lenny) Bruzenak
lenny magitekltd com


This is an example of what I see in audit-viewer:

There are LOTS of the following:

01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod, success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren, comm=escd, egid=bill.tangren, euid=bill.tangren, exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid= bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren, subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, tty=none, uid=bill.tangren

There are also some like this, but syscall=open instead.


During this time, I am logged in to a GUI, but the screensaver has activated, and I am doing nothing. No one else has an account. 

Bill


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]