RE: questions about auditing on a new RH 6 box

From: LC Bruzenak
Sent: Friday, January 14, 2011 1:39 PM
To: Tangren, Bill
Cc: linux-audit redhat com
On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
> There are LOTS of the following:
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
> There are also some like this, but syscall=open instead.
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account.

Well, herein lies the rub...the audit rules you have in place are doing
their job.

The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.

Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary

Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd


These are the top results for the ausearch command given above:

930  /usr/lib64/esc-1.1.0/escd
82  /usr/libexec/abrt-hook-ccpp
44  /usr/sbin/sshd
43  /usr/sbin/crond
41  /usr/sbin/usermod
34  /sbin/unix_chkpwd
31  /usr/bin/sudo
24  /bin/ls
22  /usr/sbin/abrtd (deleted)
21  /usr/sbin/httpd
17  /usr/libexec/openssh/sftp-server
15  /bin/su
14  /usr/libexec/gnome-screensaver-dialog
14  /usr/sbin/cupsd

OK. It appears that the RH smart card reader software is doing this, which is odd, considering I'm not using a smart card right now. I'll disable it (for now) and see what happens. But I'm going to want it working eventually.


