F10, audit-1.7.12 [r...@slim ~]# ausearch -i -ts yesterday -te yesterday | grep "node=" | tail ...
node=slim type=PATH msg=audit(06/03/2009 19:11:29.348:2884) : item=0 name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00 obj=system_u:object_r:mozilla_home_t:s0 node=slim type=CWD msg=audit(06/03/2009 19:11:29.348:2884) : cwd=/home/lcb node=slim type=SYSCALL msg=audit(06/03/2009 19:11:29.348:2884) : arch=x86_64 syscall=unlink success=yes exit=0 a0=2bb999c a1=2bb999c a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1 comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0 key=delete The results end with the above record. Then: [r...@slim ~]# ausearch -i -ts yesterday | grep "node=" | less ... node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0 name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode= 542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00 obj=system_u:object_r:mozilla_home_t:s0 node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) : cwd=/home/lcb node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) : arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1= 36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lc b fsgid=lcb tty=(none) ses=1 comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0 key=delete node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) : arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acb b60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=n tp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-ch ange node=slim type=USER_ACCT msg=audit(06/04/2009 00:01:01.716:3013) : user pid=14269 uid=root auid=unset ses=4294967295 subj=sys tem_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:accounting acct=root exe=/usr/sbin/crond (hostname=?, addr=?, terminal=cro n res=success)' This shows plenty of events after the 19:11 event shown. Any ideas? # date Thu Jun 4 19:29:10 CDT 2009 Reading the manpage is a little confusing on the -ts and -te meanings. I'm not sure I agree with the way it is stated, regardless the behavior above appears wrong ... but this appears to work correctly: ausearch -ts 06/03/2009 00:00:00 -te 06/03/2009 23:59:59 -i | grep "node=" | tail ... node=slim type=PATH msg=audit(06/03/2009 23:47:48.715:3006) : item=0 name=/home/lcb/.mozilla/firefox/c9hijbr8.default/ inode=542803 dev=fd:00 mode=dir,700 ouid=lcb ogid=lcb rdev=00:00 obj=system_u:object_r:mozilla_home_t:s0 node=slim type=CWD msg=audit(06/03/2009 23:47:48.715:3006) : cwd=/home/lcb node=slim type=SYSCALL msg=audit(06/03/2009 23:47:48.715:3006) : arch=x86_64 syscall=unlink success=yes exit=0 a0=36763bc a1=36763bc a2=0 a3=7feb3f6db550 items=2 ppid=7641 pid=7673 auid=lcb uid=lcb gid=lcb euid=lcb suid=lcb fsuid=lcb egid=lcb sgid=lcb fsgid=lcb tty=(none) ses=1 comm=firefox exe=/usr/lib64/firefox-3.0.10/firefox subj=user_u:user_r:user_t:s0 key=delete node=slim type=SYSCALL msg=audit(06/03/2009 23:52:13.141:3007) : arch=x86_64 syscall=adjtimex success=yes exit=0 a0=7fe1c7acbb60 a1=5 a2=7fe1c7acbb40 a3=14 items=0 ppid=1 pid=1519 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=4294967295 comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0-s15:c0.c1023 key=time-change Thx, LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
