Results 1 to 3 of 3

Thread: Process Not Recorded Correctly in audit.log

  1. #1
    Join Date
    May 2008
    Location
    Des Moines, IA
    Posts
    89
    Rep Power
    7

    Default Process Not Recorded Correctly in audit.log

    First off, everything seems to work just fine. This is a little esoteric so please bear with me...

    I'm looking for whatever this is: (in /var/log/audit/audit.log)
    Code:
    cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573
    Some back story:
    1) This is on a RHEL 5.3 x86_64 box w/ ZCS 5.0.16 x86_64
    1) The entire install and configuration of the server I'm building is scripted.
    2) This anomaly only occurs first in the middle of the ZCS-NE install script, about the time it's installing openldap; thereafter in perpetuity as well.
    3) My script really just kicks-off the zimbra installer script and feeds the parameters as needed.
    4) If I comment out the ZCS-NE portion of the install script (installing only BIND/Samba) I never see this in the audit log.

    While I'm watching my audit logs I'm seeing 2 funky entries that run in a cyclical manner. The cycles are differentiated thus:

    msg='cwd="/" cmd=2F6...
    msg='cwd="/opt/zimbra" cmd=2F6...

    Code:
    # tail -f /var/log/audit/audit.log
    
    EPOCH Time: Saturday, September 12, 2009 8:59:36 PM		-		Cycle 1
    type=CRED_ACQ msg=audit(1252807176.188:262726): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_START msg=audit(1252807176.188:262727): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_END msg=audit(1252807176.188:262728): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_CMD msg=audit(1252807176.190:262729): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
    
    EPOCH Time: Saturday, September 12, 2009 9:01:01 PM		-		Cycle 1
    type=CRED_ACQ msg=audit(1252807261.801:262764): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_START msg=audit(1252807261.801:262765): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_END msg=audit(1252807261.801:262766): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_CMD msg=audit(1252807261.803:262767): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
    the interval seems to be 1m 25s
    ===
    EPOCH Time: Saturday, September 12, 2009 9:00:13 PM		-		Cycle 2
    type=CRED_ACQ msg=audit(1252807213.856:262750): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_START msg=audit(1252807213.856:262751): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_END msg=audit(1252807213.857:262752): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_CMD msg=audit(1252807213.858:262753): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
    
    EPOCH Time: Saturday, September 12, 2009 9:02:07 PM		-		Cycle 2
    type=CRED_ACQ msg=audit(1252807327.959:262780): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_START msg=audit(1252807327.959:262781): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_END msg=audit(1252807327.960:262782): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
    type=USER_CMD msg=audit(1252807327.961:262783): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
    the interval seems to be 2m 6s
    Like I say, everything works. I'd really like to know what this is though. And, if this shows in anyone elses' audit.log

    Thanks in advance,
    todd_dsm

    Don't forget to Vote for this RFE:
    RFE: A place To Display the contents of 'My Documents'
    Reasoning: It's new, bold, and cool.
    Last edited by todd_dsm; 10-08-2010 at 09:43 AM.

  2. #2
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    You are checking wrong audit.log file. Zimbra doesn't log in /var/log/audit/audit.log rather is /opt/zimbra/log/audit.log file.

  3. #3
    Join Date
    May 2008
    Location
    Des Moines, IA
    Posts
    89
    Rep Power
    7

    Default

    I believe auditd writes any/all auth to the system log. If an application has to auth before interacting with the system it get's logged here:
    Code:
    # tail -f /var/log/audit/audit.log
    type=LOGIN msg=audit(1256532361.646:5148): login pid=28000 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=276
    type=USER_START msg=audit(1256532361.650:5149): user pid=28000 uid=0 auid=500 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="zimbra" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
    type=CRED_ACQ msg=audit(1256532367.457:5150): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
    type=USER_START msg=audit(1256532367.458:5151): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
    type=USER_END msg=audit(1256532367.458:5152): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
    type=USER_CMD msg=audit(1256532367.459:5153): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
    type=CRED_ACQ msg=audit(1256532367.519:5154): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
    type=USER_START msg=audit(1256532367.520:5155): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
    type=USER_END msg=audit(1256532367.520:5156): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
    type=USER_CMD msg=audit(1256532367.521:5157): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd="/opt/zimbra/libexec/zmmtastatus" (terminal=? res=success)'
    So, help me to understand how Zimbra is not authing, so that it can execute commands on the system? auid=500 (=zimbra by the way)

    Thanks in advance,
    todd_dsm

    Don't forget to Vote for this RFE:
    RFE: A place To Display the contents of 'My Documents'
    Reasoning: It's new, bold, and cool.
    Last edited by todd_dsm; 10-08-2010 at 09:44 AM.

Similar Threads

  1. Replies: 4
    Last Post: 07-13-2009, 12:16 PM
  2. [SOLVED] Outlook no longer updating
    By jeremy.pratt in forum Zimbra Connector for BlackBerry
    Replies: 10
    Last Post: 05-30-2008, 03:22 PM
  3. Can't seem to get global in BES
    By sdemeyer in forum Zimbra Connector for BlackBerry
    Replies: 12
    Last Post: 03-19-2008, 08:22 AM
  4. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 06:07 PM
  5. tomcat not running / postfix/postqueue errors
    By seravitae in forum Installation
    Replies: 7
    Last Post: 03-10-2007, 07:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •