Re: systemd daemon and auid

On Wednesday, April 7, 2021 3:20:22 AM EDT MAUPERTUIS, PHILIPPE wrote: > I understand that daemons started by systemd have a uid -1. > For a specific daemon, I would like to have a different auid to trace what > the daemon is doing. By having a distinct auid it would be monitored

systemd daemon and auid

Hello, I understand that daemons started by systemd have a uid -1. For a specific daemon, I would like to have a different auid to trace what the daemon is doing. By having a distinct auid it would be monitored without specific rules. Is that possible ? Otherwise what would be the best way to

Re: httpd auid = -1

11:29 AM, Steve Grubb wrote: > > On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote: >> I’ve noticed that the httpd process on a CentOS 7.7 system I am working >> with is running with an Audit ID of -1. Example ID values are: >> >>auid=429496

httpd auid = -1

I’ve noticed that the httpd process on a CentOS 7.7 system I am working with is running with an Audit ID of -1. Example ID values are: auid=4294967295 uid=48 gid=48 ... So if use the standard filter "-F auid!=-1” in the audit rules I do not see httpd act

Re: httpd auid = -1

alate. You might be able to detect them making it executable: -a exit,always -F arch=b64 -S chmod,fchmod -F dir=/home -F a1&0111 -F filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec -a exit,always -F arch=b64 -S fchmodat -F dir=/home -F a2&0111 -F filetype=file -F auid>=

Re: httpd auid = -1

On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote: > I’ve noticed that the httpd process on a CentOS 7.7 system I am working > with is running with an Audit ID of -1. Example ID values are: > > auid=4294967295 > uid=48 > gid=48 > .

Re: auid = unset

On Friday, May 3, 2019 3:31:39 PM EDT Joshua Ammons wrote: > Hello, I just wanted to see if anyone has had much success with configuring > redhat systems to reduce and/or eliminate the occurrence of auid = unset > in the audit events? auid = unset is a natural thing. Typically it indicat

auid = unset

Hello, I just wanted to see if anyone has had much success with configuring redhat systems to reduce and/or eliminate the occurrence of auid = unset in the audit events? I found the following redhat article that provides a fix by updating a grub setting for auditd but this doesn't seem to

Re: auid of a script started by a daemon process.

On Monday, February 20, 2017 1:24:28 PM EST Kaptaan wrote: > Thanks Steve for the prompt response. > > Could you please help me understand how the starting of the application from > systemd will solve my problem of capturing the auid of the person who > sudoes to another user

Re: auid of a script started by a daemon process.

Thanks Steve for the prompt response. Could you please help me understand how the starting of the application from systemd will solve my problem of capturing the auid of the person who sudoes to another userid and runs the script to access the files. sudoes to and runs the script to access

Re: auid of a script started by a daemon process.

lly executed by the application's daemon process. > > The auid shown in the audit logs is always my id for all audit > events. Yes. This sounds like a problem. The auid is the mechanism to track who the person is no matter who they sudo/su to. The uid is the transient id of the u

auid of a script started by a daemon process.

. I sudo to and start the application. The application starts a few daemon process owned by . User2 - uses the application to access the files (through some script). The script is actually executed by the application's daemon process. The auid shown in the audit logs is always my id fo

Re: Why exclude unset auid in STIG rules

@redhat.com Subject: RE: Why exclude unset auid in STIG rules > -Original Message- > From: Steve Grubb [mailto:sgr...@redhat.com] > Sent: Wednesday, May 11, 2016 12:11 PM > > On Wednesday, May 11, 2016 06:40:52 PM Wyatt, Curtis wrote: > > Ok, so the assumption is

RE: Why exclude unset auid in STIG rules

> -Original Message- > From: Steve Grubb [mailto:sgr...@redhat.com] > Sent: Wednesday, May 11, 2016 12:11 PM > > On Wednesday, May 11, 2016 06:40:52 PM Wyatt, Curtis wrote: > > Ok, so the assumption is that daemons are not compromised? > > This is a complicated topic. Basically there are

Re: Why exclude unset auid in STIG rules

x27;t see anything in the SRG that leans towards IDS-like rules. Do you see any? -Steve > -Original Message- > From: Steve Grubb [mailto:sgr...@redhat.com] > Sent: Wednesday, May 11, 2016 11:35 AM > > When a user logs in, the auid gets set to the uid that they used to login &

RE: Why exclude unset auid in STIG rules

6 11:35 AM When a user logs in, the auid gets set to the uid that they used to login with. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The rules use a directive like this: -F auid>=1000 to tr

Re: Why exclude unset auid in STIG rules

On Wednesday, May 11, 2016 06:28:11 PM Wyatt, Curtis wrote: > I don't understand why the STIG audit rules have -F auid!=4294967295 in it. > If auid is unset, why wouldn't you still want to see the events in the > logs? When a user logs in, the auid gets set to the uid that

Why exclude unset auid in STIG rules

I don't understand why the STIG audit rules have -F auid!=4294967295 in it. If auid is unset, why wouldn't you still want to see the events in the logs? Curtis -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Re: filtering system calls with auid -1

t,never -F subj_type=crond_t # audit root actions from users switching to root -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k root-commands -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k root-commands # audit root actions with loginui

Re: filtering system calls with auid -1

from script are fine for me. OK. > I altered my audit.rules as you suggested to the following, no other rules: > auditctl -l: You can add a key to this if you like, -F key=root-commands > -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 > -a always,exit -F

Re: filtering system calls with auid -1

other rules: auditctl -l: -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 I get entries from crond like the following in audit.log: type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780

Re: filtering system calls with auid -1

On Tuesday, November 17, 2015 10:38:17 AM ocakan wrote: > My aim is to audit only commands executed by root (interactively) and avc > denied messages (selinux) I have some questions to help clarify. Command executed by root, or the root user? Root is uid = 0, Root user is uid = 0 &&am

filtering system calls with auid -1

: -a never,exit -S all -F auid!=-1 -a never,exit -S all -F auid!=0 -F auid<500 -a always,exit -F arch=x86_64 -S execve -F euid=0 -F key=root-commands -a always,exit -F arch=i386 -S execve -F euid=0 -F key=root-commands -a always,exclude -F msgtype=CWD ### auditctl -s: AUDIT_STATUS: enabled=1 fla

Re: auid=0

On Monday, August 03, 2015 02:53:52 PM rsh...@umbc.edu wrote: > > On Monday, August 03, 2015 02:11:31 PM rsh...@umbc.edu wrote: > >> Comparing the "official" STIG content with the scap-security-guide > >> content, the former seems to have added corresponding rule

Re: auid=0

> On Monday, August 03, 2015 02:11:31 PM rsh...@umbc.edu wrote: >> Comparing the "official" STIG content with the scap-security-guide >> content, the former seems to have added corresponding rules for "-F >> auid=0" that aren't present in scap-secu

Re: auid=0

On Monday, August 03, 2015 02:11:31 PM rsh...@umbc.edu wrote: > Comparing the "official" STIG content with the scap-security-guide > content, the former seems to have added corresponding rules for "-F > auid=0" that aren't present in scap-security guide. i.e. whe

auid=0

Comparing the "official" STIG content with the scap-security-guide content, the former seems to have added corresponding rules for "-F auid=0" that aren't present in scap-security guide. i.e. where scap-security-guide will just have one rule: -a always,exit -F arch=ARCH

Re: auid field when switching user

Thank you ! I think you point the "missing". My first try was on debian wheezy. Now I try on debian jessie. With jessie, all requirements seems presents and the field auid has the right value ! type=SYSCALL msg=audit(1430989253.292:23716): arch=c03e syscall=59 success=yes exit=0 a0

Re: auid field when switching user

On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote: > Hello, > > On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > > I'm trying to use auditd to log all actions made by the users on the > > system. This part works fine. > > > > The documentatio

Re: auid field when switching user

Hello, On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > I'm trying to use auditd to log all actions made by the users on the > system. This part works fine. > > The documentation mention the "auid" field to identify the user from the > first connection &

auid field when switching user

Bonjour, I'm trying to use auditd to log all actions made by the users on the system. This part works fine. The documentation mention the "auid" field to identify the user from the first connection "even" when the user's identity changes (like with a su): auid=

Re: auid=4294967295 issue

On Monday, January 12, 2015 12:12:02 PM Burak Gürer wrote: > we have some linux servers and a central log collector system. we are > sending audit logs to this log system. this log collector system can > parse such logs but this system confused at lines with "auid=4294967295&qu

auid=4294967295 issue

and a central log collector system. we are sending audit logs to this log system. this log collector system can parse such logs but this system confused at lines with "auid=4294967295" in audit logs. i have tried everything but still this lines are coming: type=USER_ACCT

Re: AUID question

On Friday, November 14, 2014 10:16:12 AM David Flatley wrote: >While checking audit logs for failed logins, It was noticed that the > AUID was one name and there was a UID of the user that failed login. The > only thing we can figure is that the AUID user rebooted the system > by l

AUID question

While checking audit logs for failed logins, It was noticed that the AUID was one name and there was a UID of the user that failed login. The only thing we can figure is that the AUID user rebooted the system by logging in as himself and then using sudo to reboot the system prior to the fails

Re: Need help, we are receiving type=SYSCALL with auid=unset event entries

On Tuesday, June 03, 2014 01:28:40 PM Briane Lin wrote: > We are unable to properly monitor an event with AUID=unset, does anyone > know why we are currently seeing these and what is the resolution? If you have an unset auid and its supposed to be meaningful, then the way that peop

Need help, we are receiving type=SYSCALL with auid=unset event entries

We are receiving LINUX RHEL versions 5 and 6 in our environment with type=SYSCALL and auid=unset event types. We are unable to properly monitor an event with AUID=unset, does anyone know why we are currently seeing these and what is the resolution? Thanks! Briane Lin IBM Global Technology

Re: auid?

On Tuesday, October 29, 2013 03:39:35 PM leam hall wrote: > I'm trying to find a definition of "auid", besides "audit UID". If user Joe > with UID 1814 logs in and sudo to application account "british" which has a > UID of 1776, is the auid of Joe

Re: auid?

James, thanks! I thought that was it, but I have to brief on recommended audit.rules changes and hate telling someone something when I'm not sure. Leam On Tue, Oct 29, 2013 at 3:43 PM, CHAPLIN, JAMES (CTR) < james.chap...@cbp.dhs.gov> wrote: > His auid will be 1814 and does not

auid?

Hey all, I'm trying to find a definition of "auid", besides "audit UID". If user Joe with UID 1814 logs in and sudo to application account "british" which has a UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an "su -" to r

RE: Auditing only when auid and uid differ

It does work on Redhat 6, it was my mistake. Philippe -Message d'origine- De : Maupertuis Philippe Envoyé : jeudi 10 octobre 2013 09:13 À : linux-audit@redhat.com Objet : RE: Auditing only when auid and uid differ Thanks for the quick reply. Unfortunately, I guess that a newish k

RE: Auditing only when auid and uid differ

ubb [mailto:sgr...@redhat.com] Envoyé : mercredi 9 octobre 2013 18:43 À : linux-audit@redhat.com Cc : Maupertuis Philippe Objet : Re: Auditing only when auid and uid differ On Wednesday, October 09, 2013 06:28:49 PM Maupertuis Philippe wrote: > I want to track what people are doing when then ch

Re: Auditing only when auid and uid differ

On Wednesday, October 09, 2013 06:28:49 PM Maupertuis Philippe wrote: > I want to track what people are doing when then change their userid. > Basically I would like to write : > -a exit,never -F arch=b32 -S all -F auid=4294967295 > -a exit,never -F arch=b64 -S all -F auid=42949672

Auditing only when auid and uid differ

I want to track what people are doing when then change their userid. Basically I would like to write : -a exit,never -F arch=b32 -S all -F auid=4294967295 -a exit,never -F arch=b64 -S all -F auid=4294967295 -a exit,always -F arch=b32 -S all -F auid>1000 -F uid!=auid -k userchange -a e

Re: why auid always unset?

tation ? > > thanks a lot > > > On Thu, Jul 25, 2013 at 4:54 PM, Steve Grubb wrote: > >> On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote: >> > The problem is, cat /proc/self/loginuid is still 4294967295 if I login. >> > >> > However, I do

Re: why auid always unset?

f I login. > > > > However, I do see lots of events the auid is 0. I even see auid change > > reflect in the event. > > Like > > > > type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952 > > uid=root old auid=unset new auid=root > > This would b

Re: why auid always unset?

On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote: > The problem is, cat /proc/self/loginuid is still 4294967295 if I login. > > However, I do see lots of events the auid is 0. I even see auid change > reflect in the event. > Like > > type=LOGIN msg=audit(07/20/20

Re: why auid always unset?

Thanks. I removed quiet from gruf.conf and I see from the output at boot. I do see like start audit [ok] The problem is, cat /proc/self/loginuid is still 4294967295 if I login. However, I do see lots of events the auid is 0. I even see auid change reflect in the event. Like type=LOGIN msg

Re: why auid always unset?

On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote: > I read my audit logs.I always see lots of auid values are 4294967295. Even > when I delete a file, the value is still 4294967295? In a normal system, there will be some events with 4294967295. These should be daemons and system

Re: why auid always unset?

BTW, I put audit=1 to my grub.conf and restarted my host. Still the same On Tue, Jul 23, 2013 at 3:49 PM, zhu xiuming wrote: > I read my audit logs.I always see lots of auid values are 4294967295. Even > when I delete a file, the value is still 4294967295? > I added pam_loginuid to g

why auid always unset?

I read my audit logs.I always see lots of auid values are 4294967295. Even when I delete a file, the value is still 4294967295? I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still the same value? I wonder what is wrong? -- Linux-audit mailing list Linux-audit@redhat.com

Audit 2.0.4 auid issue

ser "system" uid 500 May 27 10:20:36 doma audispd: node=doma type=SYSCALL msg=audit(1274948436.000:57884): arch=c03e syscall=59 success=yes exit=0 a0=6cf250 a1=6cf730 a2=6cf510 a3=0 items=2 ppid=26772 pid=27006 auid=4294967295 uid=1000 gid=19 euid=1000 suid=1000 fsuid=1000 egid=19 sgid=1

Re: audit 2.0.4 auid problem

I would like to audit specifically interactive actions taken from the console ttys (ttyS0,ttyS1,tty-1-6) and I've just discovered the /bin/login we use here was compiled without PAM libs. So I guess I will not be able to get auid nor TTY auditing... By the way is there any way/future w

Re: audit 2.0.4 auid problem

On Thursday, June 03, 2010 09:55:35 am Jean-Francois Vincent wrote: > 1 ) Is there any bug with auid always set to 4294967295 ? You need pam_loginuid added to crond, gdm, login, kdm, sshd, vsftpd, or any pamified entry point daemon. (but not sudo or su.) > 2) I've also searched

audit 2.0.4 auid problem

cf250 a1=6cf730 a2=6cf510 a3=0 items=2 ppid=26772 pid=27006 auid=4294967295 uid=1000 gid=19 euid=1000 suid=1000 fsuid=1000 egid=19 sgid=19 fsgid=19 tty=tty1 comm="date" exe="/bin/date" key=(null) May 27 10:20:36 doma audispd: node=doma type=EXECVE msg=audit(1274948436.000:5788

Re: Dropping auid for daemons started via sudo

On Monday 17 May 2010 09:32:15 am Konstantin Ryabitsev wrote: > It mostly does the right thing, except for cases when an admin logs in > and restarts a service. If it's running a privileged process, that > process will have an auid of the user that last ran "service foo > r

Dropping auid for daemons started via sudo

rule: -a always,exit -F arch=b32 -S execve -F uid=0 -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F arch=b64 -S execve -F uid=0 -F auid>=500 -F auid!=4294967295 -k privileged It mostly does the right thing, except for cases when an admin logs in and restarts a service. If it&

Re: Did something break in RHEL5 with auid?

On Sat, 2010-04-17 at 18:26 -0400, Trevor Vaughan wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hello all, > > In RHEL5.2 auditing worked fine for me auid was set to the user's uid > and id was set to whatever it happened to be at the time. > >

Did something break in RHEL5 with auid?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, In RHEL5.2 auditing worked fine for me auid was set to the user's uid and id was set to whatever it happened to be at the time. In RHEL5.4 auid got set to the 'anon' value. In RHEL5.5 auid gets set to '0' but uid

RE: auid unset

Thanks Steve. That worked. What I don't understand is that it is not in the system that already worked. Thanks again, David A. Kirkwood >On Thursday 06 December 2007 02:42:30 pm Kirkwood, David A. wrote: >> The ausearch -m DAEMON_START returns version 1.0.14 for auditd on both >> systems. I grep

Re: auid unset

On Thursday 06 December 2007 02:42:30 pm Kirkwood, David A. wrote: > The ausearch -m DAEMON_START returns version 1.0.14 for auditd on both > systems. I grepped for loginuid.so in the pam.d directory and it appears in > all of the same pam entries on both systems. No luck yet, however I > appreciat

FW: auid unset

. I tried to get it by >pulling strings with no success. The larger problem is I am configuring >a RHEL4U5 system. I have a RHEL4U4 system that runs correctly and >supplies the AUID when specified with aureport. The RHEL4U5 system has >this parameter as "unset" rather than the A

RE: auid unset

Thanks Klaus, The ausearch -m DAEMON_START returns version 1.0.14 for auditd on both systems. I grepped for loginuid.so in the pam.d directory and it appears in all of the same pam entries on both systems. No luck yet, however I appreciate your help. David A. Kirkwood >> >> I need some help

Re: auid unset

> $ audearch -m DAEMON_START read that as $ausearch -m DAEMON_START The best option would still be just 'rpm -q audit' and check the output -- Klaus Heinrich Kiwi/Brazil/IBM <[EMAIL PROTECTED]> Software Engineer IBM STG, Linux Technology Center Phone:(+55-19) 2132-1909 [T/L 839-1909] -- Linux-

Re: auid unset

> > I need some help with configuration. First, I do not remember how to > tell the version of the auditd I am running. I tried to get it by > pulling strings with no success. To identify the audit version you're running, you could use the package version+release or possibly something like $ au

auid unset

Hi, I need some help with configuration. First, I do not remember how to tell the version of the auditd I am running. I tried to get it by pulling strings with no success. The larger problem is I am configuring a RHEL4U5 system. I have a RHEL4U4 system that runs correctly and supplies the AUID

auid uset

AUID when specified with aureport. The RHEL4U5 system has this parameter as "unset" rather than the AUID or uid or anything else to identify who was attempting to run failed commands. If someone can help me with what needs to be set, I would appreciate it. I compared all of the obv

Re: Audit rule that applies when auid >= 500

he old rule style for communicating with the kernel for backward compatibility with old kernels - pre-2.6.16) There is slightly newer RHEL5 audit packages here: http://people.redhat.com/sgrubb/files/lspp/ But the RHEL5.1 package 1.5.5-5 should work fine: # auditctl -a exit,always -S open -F

Audit rule that applies when auid >= 500

Hello, I would like some of my audit rules to apply when auid >= 500 For example consider this use case: [EMAIL PROTECTED] audit]# auditctl -v auditctl version 1.3.1 [EMAIL PROTECTED] audit]# cat /etc/audit/audit.rules # This file contains the auditctl rules that are loaded # whenever

Re: A scriptable utility for setting auid

On Sun, 2007-02-25 at 18:17 -0500, Steve Grubb wrote: > On Tuesday 20 February 2007 16:29:25 Matthew Booth wrote: > > I needed a way to exclude a very large class of audit traffic [1] in > > RHEL 4. It occurred to me that if I could launch a process and give it > > the auid o

Re: A scriptable utility for setting auid

On Tuesday 20 February 2007 16:29:25 Matthew Booth wrote: > I needed a way to exclude a very large class of audit traffic [1] in > RHEL 4. It occurred to me that if I could launch a process and give it > the auid of a dedicated user, I could easily filter it out along with > all chi

A scriptable utility for setting auid

I needed a way to exclude a very large class of audit traffic [1] in RHEL 4. It occurred to me that if I could launch a process and give it the auid of a dedicated user, I could easily filter it out along with all child processes. With this in mind I wrote the attached simple wrapper round the

Re: auid bug

Are you sure you have pam_loginuid.so configured in the appropriate /etc/pam.d/* files, such as login and sshd? I checked the login file and it matches yours, I am not using ssh on this machine. I'm running the .41 kernel and the audit-1.2.4 tools and the auid is correct in the

Re: auid bug

Are you sure you have pam_loginuid.so configured in the appropriate /etc/pam.d/* files, such as login and sshd? I'm running the .41 kernel and the audit-1.2.4 tools and the auid is correct in the audit records on my system. This is what my /etc/pam.d/login file looks like: #%PAM-1.0

auid bug

I am receiving audit events with an odd auid... I am not sure if this is something wrong in the kernel or in audit. The auid I am receiving is 4294967295 (the max value for an unsigned long). The other uid/gid information is normal. I have seen this on all audit versions since audit-1.2.3