[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: questions about auditing on a new RH 6 box

On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
> There are LOTS of the following:
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
> There are also some like this, but syscall=open instead.
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account. 

Well, herein lies the rub...the audit rules you have in place are doing
their job.

The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.

Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary

Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd

You will likely want to use aureport/ausearch just because they are
faster than the audit-viewer. But it is possible to use it...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]