In addition to that: # /usr/sbin/auditconfig -getaudit audit id = unknown(-2) process preselection mask = no(0x0,0x0) terminal id (maj,min,host) = 15289,202240,unknown(10.1.1.10) audit session id = 0
---------- Forwarded message ---------- From: Piotr Jasiukajtis <[email protected]> Date: Wed, Jun 30, 2010 at 11:43 AM Subject: Re: BSM Audit and LDAP accounts To: Jan Friedel <[email protected]> On Tue, Jun 29, 2010 at 4:38 PM, Jan Friedel <[email protected]> wrote: > > Hi Piotr, > > On Tue, Jun 29, 2010 at 04:07:12PM +0200, Piotr Jasiukajtis wrote: >> Hi, >> >> I have found that auditd in default configuration does not store user >> IDs in the logs if the account is LDAP based. >> >> praudit says only: >> header,32,2,su,,server,2010-06-29 15:56:24.284 +02:00,return,success,0 >> >> In case of local users it says: >> ,subject,estibi,root,root,root,root,8416,1677303986,6456 71168 >> 10.1.1.10,return,success,0 > > Please, on which OS build you see the incorrect behaviour? Have > you filed a bug already? What's the CR? It's snv_128. I haven't filed a BUG yet. > Also, please, can you resend the complete audit record for the > latter case? I can see just the subject, not the header. Was > that su(1M) as well? Yes, it's 'su' as well. header,44,2,system booted,na,2010-06-30 10:23:47.017 +02:00,text,booting kernel header,32,2,login - ssh,,opensolaris,2010-06-30 10:24:36.779 +02:00,return,success,0 header,32,2,role login,,opensolaris,2010-06-30 10:24:44.547 +02:00,return,success,0 header,32,2,role logout,,opensolaris,2010-06-30 10:25:25.528 +02:00,return,success,0 header,40,2,su,,opensolaris,2010-06-30 10:25:29.633 +02:00,text,root,return,failure,Authentication failed header,32,2,role login,,opensolaris,2010-06-30 10:25:37.092 +02:00,return,success,0 header,32,2,login - ssh,,opensolaris,2010-06-30 10:28:46.619 +02:00,return,success,0 header,32,2,role logout,,opensolaris,2010-06-30 10:33:45.952 +02:00,return,success,0 header,32,2,logout,,opensolaris,2010-06-30 10:33:46.720 +02:00,return,success,0 header,32,2,login - ssh,,opensolaris,2010-06-30 10:34:03.568 +02:00,return,success,0 header,32,2,login - ssh,,opensolaris,2010-06-30 11:01:13.849 +02:00,return,success,0 header,32,2,logout,,opensolaris,2010-06-30 11:05:08.399 +02:00,return,success,0 header,32,2,login - ssh,,opensolaris,2010-06-30 11:09:18.883 +02:00,return,success,0 header,32,2,logout,,opensolaris,2010-06-30 11:17:02.941 +02:00,return,success,0 header,69,2,role login,,opensolaris,2010-06-30 11:30:54.835 +02:00,subject,user1,root,root,root,root,21526,2484025745,13625 202240 10.1.1.10,return,success,0 header,69,2,role logout,,opensolaris,2010-06-30 11:31:06.233 +02:00,subject,user1,root,root,root,root,21526,2484025745,13625 202240 10.1.1.10,return,success,0 header,69,2,role login,,opensolaris,2010-06-30 11:32:27.428 +02:00,subject,user1,root,root,root,root,22076,2484025745,13625 202240 10.1.1.10,return,success,0 header,32,2,logout,,opensolaris,2010-06-30 11:33:32.006 +02:00,return,success,0 header,32,2,login - ssh,,opensolaris,2010-06-30 11:33:39.266 +02:00,return,success,0 header,32,2,role login,,opensolaris,2010-06-30 11:33:55.470 +02:00,return,success,0 and in the raw form: 116,44,2,113,0x0040,1277886227,17057986,40,booting kernel 21,32,2,6172,0x0000,10.7.4.40,1277886276,779940088,39,0,0 21,32,2,6173,0x0000,10.7.4.40,1277886284,547710623,39,0,0 21,32,2,6229,0x0000,10.7.4.40,1277886325,528541391,39,0,0 21,40,2,6159,0x0000,10.7.4.40,1277886329,633269843,40,root,39,-1,2009 21,32,2,6173,0x0000,10.7.4.40,1277886337,92739389,39,0,0 21,32,2,6172,0x0000,10.7.4.40,1277886526,619812164,39,0,0 21,32,2,6229,0x0000,10.7.4.40,1277886825,952424563,39,0,0 21,32,2,6153,0x0000,10.7.4.40,1277886826,720483842,39,0,0 21,32,2,6172,0x0000,10.7.4.40,1277886843,568824980,39,0,0 21,32,2,6172,0x0000,10.7.4.40,1277888473,849863285,39,0,0 21,32,2,6153,0x0000,10.7.4.40,1277888708,399152572,39,0,0 21,32,2,6172,0x0000,10.7.4.40,1277888958,883848000,39,0,0 21,32,2,6153,0x0000,10.7.4.40,1277889422,941314719,39,0,0 21,69,2,6173,0x0000,10.7.4.40,1277890254,835926614,36,101,0,0,0,0,21526,2484025745,13625 202240 10.1.1.10,39,0,0 21,69,2,6229,0x0000,10.7.4.40,1277890266,233381407,36,101,0,0,0,0,21526,2484025745,13625 202240 10.1.1.10,39,0,0 21,69,2,6173,0x0000,10.7.4.40,1277890347,428697181,36,101,0,0,0,0,22076,2484025745,13625 202240 10.1.1.10,39,0,0 21,32,2,6153,0x0000,10.7.4.40,1277890412,6925566,39,0,0 21,32,2,6172,0x0000,10.7.4.40,1277890419,266738157,39,0,0 21,32,2,6173,0x0000,10.7.4.40,1277890435,470584655,39,0,0 > > Thanks, > > /j. > > -- Piotr Jasiukajtis | estibi | SCA OS0072 http://estseg.blogspot.com -- Piotr Jasiukajtis | estibi | SCA OS0072 http://estseg.blogspot.com _______________________________________________ security-discuss mailing list [email protected]
