> -----Original Message----- > From: Steve Grubb [mailto:[email protected]] > Sent: Wednesday, January 06, 2016 12:06 PM > > > > euid would be a kernel originating field name. User space could lie > > > about it. The kernel is the only thing that knows the truth. > > > > Unfortunately, that is not true for HTTP servers which run as root but > > authenticates the true user issuing the REST request. The authentication > > is done through PAM. The HTTP server then carries out the action on > behalf > > of that user. The kernel thinks it's a root user, but the HTTP server > > knows otherwise. It sounds like there is no way for a trusted user app to > > inject the correct uid into the audit event. Would you recommend I use > > the "user" field instead of "euid" to indicate who is issuing the request? > > > > Only the data field needs to encoded and ausearch does decode this > > > > > > > > field correctly. My message text would look like: > > > > "op=<op text> data=<encoded data> euid=<uid>" > > > > > > > > When I was using ausearch I expected to be able to find events by > > > > uid using either the "-ua" or "-ue" option that would match the > > > > euid field's value, > > > > > > but no matching events were found. Is this expected behavior? > > > > > > What is the record type? ausearch is optimized to expect certain > > > record types to have fields in a specific order. > > > > I am using the AUDIT_USYS_CONFIG event type as I would like to use > > "aureport -c" to get a summary of the configuration changes to the switch. > > As an alternative, I could use the AUDIT_TRUSTED_APP event type. > > The USYS_CONFIG event is like this: > > type=USYS_CONFIG msg=audit(1389095562.552:540): pid=2249 uid=0 > auid=4325 ses=1 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='op=change-system- time exe="/usr/sbin/hwclock" hostname=? > addr=? terminal=pts/0 res=success' > > > The kernel supplies all the pieces up to the msg= portion. After that is what > you build. The only real field the event writer does is the op= field, The > rest > are supplied by libaudit. Ausearch does not parse the op= field. > > What I would suggest in a case like this is to create a small utility that > generates the exact report that you want. The auparse library makes that > super easy. I can dig up the skeleton code for something like this if you > want.
Thanks Steve! I'd appreciate the skeleton code. At some point we'll probably want to create a custom report capability. It sounds like ausearch really only handles the fields written by the kernel. Scott G. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
