Linda Knippers wrote: >>Inside the msg is the information logged by sshd regarding who, what, when, >>where, and result. Uid is given because they have successfully identified >>themselves to the system and its shorter. Going from uid to acct name is easy >>and you never know when people change their name string causing lookup >>errors. >> >>In the case where we log a message pre-authentication, you get acct since it >>did not correlate to a uid. > > > I think it would be nice if the success message and the failure > message had the same information, so acct in both cases if that's > all we can get for the failure case. This is what we see now: > > type=USER_LOGIN msg=audit(1158674606.789:1503): user pid=10052 uid=0 > auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='uid=0: > exe="/usr/sbin/sshd" (hostname=16.116.117.213, addr=2.0.0.0, > terminal=/dev/pts/3 res=success)' > > type=USER_LOGIN msg=audit(1158668540.641:1460): user pid=9595 uid=0 > auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 > msg='acct=root: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=sshd > res=failed)' > > Do you know why we often get an addr of 2.0.0.0? Also, why does > terminal=sshd in the failure case? And are we not able to get > the hostname and other info in that case?
I just upgraded from audit 1.2.5 to 1.2.7 and now I see slightly different information in the hostname/addr/terminal fields: type=USER_LOGIN msg=audit(1158758206.573:1685): user pid=24082 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='uid=0: exe="/usr/sbin/sshd" (hostname=kipper.zko.hp.com, addr=2.0.0.0, terminal=/dev/pts/4 res=success)' type=USER_LOGIN msg=audit(1158758201.133:1677): user pid=24078 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='acct=root: exe="/usr/sbin/sshd" (hostname=?, addr=16.116.113.237, terminal=sshd res=failed)' The hostname is correct for the success case and the address is correct for the failure case. I suppose terminal isn't known on the failure case because the login didn't occur? In that case, should it be '?'? I see addr=2.0.0.0 on other messages too so my question about that isn't specific to this message type. -- ljk -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
