Hi,
I've enabled auditing, STREAM mode.
But I'm a little bit confused about what I see in stream.out.
For example, when a user login to the system through ssh there's a FAIL record on AUD_CONFIG_WR. Why during login that user needs to write to /etc/security/audit/config.
Another strange thing is that in the stanza user of config file there's only root=general, but all other users are logged.
Also I'm having strange logs on IBM.CSMAgentRMd.
Last thing, how can I see what is really happening.
For example I see CRON_Start, but is it possible to know the name of the cron job?
From /etc/security/audit/config:
users:
root = general
From stream.out:
- ssh login:
FS_Chdir root root OK Wed Jan 17 10:38:51 2007 sshd
FS_Chroot root root OK Wed Jan 17 10:38:51 2007 sshd
FS_Chdir root root OK Wed Jan 17 10:38:51 2007 sshd
S_PASSWD_READ root root OK Wed Jan 17 10:38:52 2007 sshd
S_PASSWD_READ root root OK Wed Jan 17 10:38:52 2007 sshd
AUD_CONFIG_WR ar00718 ar00718 FAIL Wed Jan 17 10:38:56 2007 sshd
- about CRON:
CRON_Start root root OK Wed Jan 17 10:29:00 2007 cron
FS_Chdir root root OK Wed Jan 17 10:29:00 2007 cron
- about IBM.CSMAgentRMd:
FILE_Unlink root root OK Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 rmcd
FILE_Unlink root root OK Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 rmcd
Why this event is always audited? Whare are IBM.CSMAgentRMd and rmcd?
Thanks in advance.
I've enabled auditing, STREAM mode.
But I'm a little bit confused about what I see in stream.out.
For example, when a user login to the system through ssh there's a FAIL record on AUD_CONFIG_WR. Why during login that user needs to write to /etc/security/audit/config.
Another strange thing is that in the stanza user of config file there's only root=general, but all other users are logged.
Also I'm having strange logs on IBM.CSMAgentRMd.
Last thing, how can I see what is really happening.
For example I see CRON_Start, but is it possible to know the name of the cron job?
From /etc/security/audit/config:
users:
root = general
From stream.out:
- ssh login:
FS_Chdir root root OK Wed Jan 17 10:38:51 2007 sshd
FS_Chroot root root OK Wed Jan 17 10:38:51 2007 sshd
FS_Chdir root root OK Wed Jan 17 10:38:51 2007 sshd
S_PASSWD_READ root root OK Wed Jan 17 10:38:52 2007 sshd
S_PASSWD_READ root root OK Wed Jan 17 10:38:52 2007 sshd
AUD_CONFIG_WR ar00718 ar00718 FAIL Wed Jan 17 10:38:56 2007 sshd
- about CRON:
CRON_Start root root OK Wed Jan 17 10:29:00 2007 cron
FS_Chdir root root OK Wed Jan 17 10:29:00 2007 cron
- about IBM.CSMAgentRMd:
FILE_Unlink root root OK Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 rmcd
FILE_Unlink root root OK Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 IBM.CSMAgentRMd
FILE_Unlink root root FAIL Wed Jan 17 10:35:50 2007 rmcd
Why this event is always audited? Whare are IBM.CSMAgentRMd and rmcd?
Thanks in advance.