Red Hat Bugzilla – Bug 242813
[RHEL 5] audit functionality to trace session-level user activity
Last modified: 2010-10-22 11:30:46 EDT
Escalated to Bugzilla from IssueTracker
The majority of this work would be in the kernel. Basically all that's needed is:
* An integer added to audit context like the loginuid
* A global counter be added in auditsc.c
* when the loginuid is set, number in counter is incremented and added to context
* old and new value is logged when loginuid is updated
* all audit messages output the session number whenever they output auid field
* session ID is always inherited at fork
Making this BZ public. Original issue is described below. Comment #5 includes
discussion of how to complete this feature enhancement.
Auditd does not have any session id included and this is making some
confusion to the customer.
The customer had been using RHEL3, and they are accustomed witht LaUS in
RHEL3, which can be utilized to audit session-level logs:
- user "test1" logs in (session id 00001 is assigned):
- user "test1" logs in (session id 00002 is assigned):
- user "test1" executes "ls" (this is done by session id 00001)
- user "test1" executes "su" (this is done by session id 00002)
and so on...
By manipulating this functionality, the customer had been
cumlating/analyzing logs of their network server in RHEL3.
In RHEL5, if you run audit right out of the box this seems to be not a
behavior (see test1.log, taken by # ausearch -ua test1), as the log lacks
the session id.
posted a patch to linux-audit on Dec14,2007
You can download this test kernel from http://people.redhat.com/dzickus/el5
added to RHEL5.2 release notes under "Kernel-Related Updates":
<command>audit</command> can now trace and display per-session user activity.
please advise if any further revisions are required. also, as i understand it,
does that mean that, by default, the audit log now includes per-session
information? or is there an option that needs to be called for this to occur (if
so, please let us know)?
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.
a mockup of the RHEL5.2 release notes can be viewed at the following link:
please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.