This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 242813 - [RHEL 5] audit functionality to trace session-level user activity
[RHEL 5] audit functionality to trace session-level user activity
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Paris
Martin Jenner
: FutureFeature
Depends On:
Blocks: RHEL5u2_relnotes 399791 425461
  Show dependency treegraph
 
Reported: 2007-06-05 18:13 EDT by Issue Tracker
Modified: 2010-10-22 11:30 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2008-0314
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 10:43:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Issue Tracker 2007-06-05 18:13:32 EDT
Escalated to Bugzilla from IssueTracker
Comment 5 Steve Grubb 2007-06-06 10:09:19 EDT
The majority of this work would be in the kernel. Basically all that's needed is:

* An integer added to audit context like the loginuid
* A global counter be added in auditsc.c
* when the loginuid is set, number in counter is incremented and added to context
* old and new value is logged when loginuid is updated
* all audit messages output the session number whenever they output auid field
* session ID is always inherited at fork
Comment 6 Eric Paris 2007-10-22 13:27:11 EDT
Making this BZ public.  Original issue is described below.  Comment #5 includes
discussion of how to complete this feature enhancement.

****

Auditd does not have any session id included and this is making some
confusion to the customer. 

The customer had been using RHEL3, and they are accustomed witht LaUS in
RHEL3, which can be utilized to audit session-level logs: 

- user "test1" logs in (session id 00001 is  assigned):
- user "test1" logs in (session id 00002 is  assigned):

- user "test1" executes "ls" (this is done by session id 00001)
- user "test1" executes "su" (this is done by session id 00002)
and so on...

By manipulating this functionality, the customer had been
cumlating/analyzing logs of their network server in RHEL3.  

In RHEL5, if you run audit right out of the box this seems to be not a
behavior (see test1.log, taken by # ausearch -ua test1), as the log lacks
the session id. 
Comment 7 Eric Paris 2007-12-14 14:48:48 EST
posted a patch to linux-audit on Dec14,2007
Comment 8 Don Zickus 2008-01-10 15:41:55 EST
in 2.6.18-66.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 11 Don Domingo 2008-02-05 23:05:13 EST
added to RHEL5.2 release notes under "Kernel-Related Updates":

<quote>
<command>audit</command> can now trace and display per-session user activity.
</quote>

please advise if any further revisions are required. also, as i understand it,
does that mean that, by default, the audit log now includes per-session
information? or is there an option that needs to be called for this to occur (if
so, please let us know)? 

thanks!
Comment 12 Don Domingo 2008-04-01 22:17:06 EDT
Hi,
the RHEL5.2 release notes will be dropped to translation on April 15, 2008, at
which point no further additions or revisions will be entertained.

a mockup of the RHEL5.2 release notes can be viewed at the following link:
http://intranet.corp.redhat.com/ic/intranet/RHEL5u2relnotesmockup.html

please use the aforementioned link to verify if your bugzilla is already in the
release notes (if it needs to be). each item in the release notes contains a
link to its original bug; as such, you can search through the release notes by
bug number.

Cheers,
Don
Comment 14 errata-xmlrpc 2008-05-21 10:43:42 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html

Note You need to log in before you can comment on or make changes to this bug.