questions about auditing on a new RH 6 box

LC Bruzenak lenny at magitekltd.com
Fri Jan 14 18:39:26 UTC 2011


On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
> 
> There are LOTS of the following:
> 
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
> 
> There are also some like this, but syscall=open instead.
> 
> 
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account. 
> 

Well, herein lies the rub...the audit rules you have in place are doing
their job.
:)

The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.

Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary

Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd


You will likely want to use aureport/ausearch just because they are
faster than the audit-viewer. But it is possible to use it...

HTH,
LCB




More information about the Linux-audit mailing list