-----Original Message----- From: LC Bruzenak [mailto:[email protected]] Sent: Friday, January 14, 2011 1:39 PM To: Tangren, Bill Cc: [email protected] Subject: RE: questions about auditing on a new RH 6 box
On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote: > > There are LOTS of the following: > > 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod, > success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren, > comm=escd, egid=bill.tangren, euid=bill.tangren, > exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid= > bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren, > subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, > tty=none, uid=bill.tangren > > There are also some like this, but syscall=open instead. > > > During this time, I am logged in to a GUI, but the screensaver has > activated, and I am doing nothing. No one else has an account. > Well, herein lies the rub...the audit rules you have in place are doing their job. :) The escd is creating device files as it does its thing...do you trust it? Assuming so, maybe there is a way to filter those out. Can you send a couple of the results of this command? This will tell you the top (recent) auditing processes: % sudo aureport -ts recent -i -x --summary Also a couple of of these results (since you said there were a lot of escd process events). Change "recent" to "today" or a specific start time (see ausearch man page): % sudo ausearch -ts recent -i -c escd ^^^^^^^^^^^^^^^^ These are the top results for the ausearch command given above: 930 /usr/lib64/esc-1.1.0/escd 82 /usr/libexec/abrt-hook-ccpp 44 /usr/sbin/sshd 43 /usr/sbin/crond 41 /usr/sbin/usermod 34 /sbin/unix_chkpwd 31 /usr/bin/sudo 24 /bin/ls 22 /usr/sbin/abrtd (deleted) 21 /usr/sbin/httpd 17 /usr/libexec/openssh/sftp-server 15 /bin/su 14 /usr/libexec/gnome-screensaver-dialog 14 /usr/sbin/cupsd OK. It appears that the RH smart card reader software is doing this, which is odd, considering I'm not using a smart card right now. I'll disable it (for now) and see what happens. But I'm going to want it working eventually. Bill -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
