Bug 242813

Summary: [RHEL 5] audit functionality to trace session-level user activity
Product: Red Hat Enterprise Linux 5 Reporter: Issue Tracker <tao>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: aviro, ddomingo, dzickus, sgrubb, tao
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: RHBA-2008-0314 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 14:43:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 391221, 399791, 425461    

Description Issue Tracker 2007-06-05 22:13:32 UTC
Escalated to Bugzilla from IssueTracker

Comment 5 Steve Grubb 2007-06-06 14:09:19 UTC
The majority of this work would be in the kernel. Basically all that's needed is:

* An integer added to audit context like the loginuid
* A global counter be added in auditsc.c
* when the loginuid is set, number in counter is incremented and added to context
* old and new value is logged when loginuid is updated
* all audit messages output the session number whenever they output auid field
* session ID is always inherited at fork

Comment 6 Eric Paris 2007-10-22 17:27:11 UTC
Making this BZ public.  Original issue is described below.  Comment #5 includes
discussion of how to complete this feature enhancement.


Auditd does not have any session id included and this is making some
confusion to the customer. 

The customer had been using RHEL3, and they are accustomed witht LaUS in
RHEL3, which can be utilized to audit session-level logs: 

- user "test1" logs in (session id 00001 is  assigned):
- user "test1" logs in (session id 00002 is  assigned):

- user "test1" executes "ls" (this is done by session id 00001)
- user "test1" executes "su" (this is done by session id 00002)
and so on...

By manipulating this functionality, the customer had been
cumlating/analyzing logs of their network server in RHEL3.  

In RHEL5, if you run audit right out of the box this seems to be not a
behavior (see test1.log, taken by # ausearch -ua test1), as the log lacks
the session id. 

Comment 7 Eric Paris 2007-12-14 19:48:48 UTC
posted a patch to linux-audit on Dec14,2007

Comment 8 Don Zickus 2008-01-10 20:41:55 UTC
in 2.6.18-66.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 11 Don Domingo 2008-02-06 04:05:13 UTC
added to RHEL5.2 release notes under "Kernel-Related Updates":

<command>audit</command> can now trace and display per-session user activity.

please advise if any further revisions are required. also, as i understand it,
does that mean that, by default, the audit log now includes per-session
information? or is there an option that needs to be called for this to occur (if
so, please let us know)? 


Comment 12 Don Domingo 2008-04-02 02:17:06 UTC
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.

a mockup of the RHEL5.2 release notes can be viewed at the following link:

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.


Comment 14 errata-xmlrpc 2008-05-21 14:43:42 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.