Auditd hostname?

lattimro · 11-20-2023, 10:34 AM

Hi Folks,

What is not properly defined on this fedora 39 for auditd to report these hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

Code:

tail /var/log/audit/audit.log
type=LOGIN msg=audit(1700497234.187:297): pid=3389 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=975 tty=(none) old-ses=4294967295 ses=5 res=1UID="root" OLD-AUID="unset" AUID="lightdm"
type=USER_START msg=audit(1700497234.216:298): pid=3389 uid=0 auid=975 ses=5 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_namespace,pam_systemd_home,pam_umask,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="lightdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="lightdm"
type=SERVICE_START msg=audit(1700497235.164:299): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@975 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_START msg=audit(1700497235.223:300): pid=3383 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_unix,pam_systemd acct="lightdm" exe="/usr/sbin/lightdm" hostname=? addr=? terminal=:0 res=success'UID="root" AUID="unset"
type=BPF msg=audit(1700497238.774:301): prog-id=96 op=LOAD
type=SERVICE_START msg=audit(1700497239.111:302): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1700497269.315:303): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=BPF msg=audit(1700497269.319:304): prog-id=96 op=UNLOAD
type=SERVICE_STOP msg=audit(1700497291.358:305): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=geoclue comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1700497365.362:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.freedesktop.problems@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

Thanks a lot!

smallpond · 11-25-2023, 08:14 AM

auid=4294967295 is -1 (32 bit) which is usually called "nobody" but audit is calling it "unset".

This just means the service doesn't have a login uid, or an assigned terminal, or an assigned network address or hostname. For hostname they may actually mean DNS name, so it would go along with not having an address.