Bug 242813 - [RHEL 5] audit functionality to trace session-level user activity
Summary: [RHEL 5] audit functionality to trace session-level user activity
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Eric Paris
QA Contact: Martin Jenner
Keywords: FutureFeature
Depends On:
Blocks: RHEL5u2_relnotes 399791 425461
TreeView+ depends on / blocked
Reported: 2007-06-05 22:13 UTC by Issue Tracker
Modified: 2018-10-19 23:22 UTC (History)
5 users (show)

Clone Of:
Last Closed: 2008-05-21 14:43:42 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0314 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5.2 2008-05-20 18:43:34 UTC

Description Issue Tracker 2007-06-05 22:13:32 UTC
Escalated to Bugzilla from IssueTracker

Comment 5 Steve Grubb 2007-06-06 14:09:19 UTC
The majority of this work would be in the kernel. Basically all that's needed is:

* An integer added to audit context like the loginuid
* A global counter be added in auditsc.c
* when the loginuid is set, number in counter is incremented and added to context
* old and new value is logged when loginuid is updated
* all audit messages output the session number whenever they output auid field
* session ID is always inherited at fork

Comment 6 Eric Paris 2007-10-22 17:27:11 UTC
Making this BZ public.  Original issue is described below.  Comment #5 includes
discussion of how to complete this feature enhancement.


Auditd does not have any session id included and this is making some
confusion to the customer. 

The customer had been using RHEL3, and they are accustomed witht LaUS in
RHEL3, which can be utilized to audit session-level logs: 

- user "test1" logs in (session id 00001 is  assigned):
- user "test1" logs in (session id 00002 is  assigned):

- user "test1" executes "ls" (this is done by session id 00001)
- user "test1" executes "su" (this is done by session id 00002)
and so on...

By manipulating this functionality, the customer had been
cumlating/analyzing logs of their network server in RHEL3.  

In RHEL5, if you run audit right out of the box this seems to be not a
behavior (see test1.log, taken by # ausearch -ua test1), as the log lacks
the session id. 

Comment 7 Eric Paris 2007-12-14 19:48:48 UTC
posted a patch to linux-audit on Dec14,2007

Comment 8 Don Zickus 2008-01-10 20:41:55 UTC
in 2.6.18-66.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 11 Don Domingo 2008-02-06 04:05:13 UTC
added to RHEL5.2 release notes under "Kernel-Related Updates":

<command>audit</command> can now trace and display per-session user activity.

please advise if any further revisions are required. also, as i understand it,
does that mean that, by default, the audit log now includes per-session
information? or is there an option that needs to be called for this to occur (if
so, please let us know)? 


Comment 12 Don Domingo 2008-04-02 02:17:06 UTC
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.

a mockup of the RHEL5.2 release notes can be viewed at the following link:

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.


Comment 14 errata-xmlrpc 2008-05-21 14:43:42 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.