Bug 242813
Summary: | [RHEL 5] audit functionality to trace session-level user activity | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Issue Tracker <tao> |
Component: | kernel | Assignee: | Eric Paris <eparis> |
Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | aviro, ddomingo, dzickus, sgrubb, tao |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2008-0314 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-21 14:43:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 391221, 399791, 425461 |
Description
Issue Tracker
2007-06-05 22:13:32 UTC
The majority of this work would be in the kernel. Basically all that's needed is: * An integer added to audit context like the loginuid * A global counter be added in auditsc.c * when the loginuid is set, number in counter is incremented and added to context * old and new value is logged when loginuid is updated * all audit messages output the session number whenever they output auid field * session ID is always inherited at fork Making this BZ public. Original issue is described below. Comment #5 includes discussion of how to complete this feature enhancement. **** Auditd does not have any session id included and this is making some confusion to the customer. The customer had been using RHEL3, and they are accustomed witht LaUS in RHEL3, which can be utilized to audit session-level logs: - user "test1" logs in (session id 00001 is assigned): - user "test1" logs in (session id 00002 is assigned): - user "test1" executes "ls" (this is done by session id 00001) - user "test1" executes "su" (this is done by session id 00002) and so on... By manipulating this functionality, the customer had been cumlating/analyzing logs of their network server in RHEL3. In RHEL5, if you run audit right out of the box this seems to be not a behavior (see test1.log, taken by # ausearch -ua test1), as the log lacks the session id. posted a patch to linux-audit on Dec14,2007 in 2.6.18-66.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 added to RHEL5.2 release notes under "Kernel-Related Updates": <quote> <command>audit</command> can now trace and display per-session user activity. </quote> please advise if any further revisions are required. also, as i understand it, does that mean that, by default, the audit log now includes per-session information? or is there an option that needs to be called for this to occur (if so, please let us know)? thanks! Hi, the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at which point no further additions or revisions will be entertained. a mockup of the RHEL5.2 release notes can be viewed at the following link: http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html please use the aforementioned link to verify if your bugzilla is already in the release notes (if it needs to be). each item in the release notes contains a link to its original bug; as such, you can search through the release notes by bug number. Cheers, Don An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0314.html |