LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-09-2013, 04:19 AM   #1
project.linux.proj
Member
 
Registered: Dec 2012
Posts: 75

Rep: Reputation: Disabled
error logs in audit


Hi,

I got below error logs in audit.log. Account is authenticating form ldap server. Can anybody explain it what are these failed messages.?

type=USER_AUTH msg=audit(1357702309.823:2747546): user pid=14251 uid=0 auid=4294967295 ses=4294967295 msg='op=pubkey acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.20.3.46 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1357702397.903:2747564): user pid=15121 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="test" exe="/usr/sbin/sshd" hostname=192.20.11.53 addr=192.20.11.53 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1357702397.903:2747565): user pid=15121 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.20.11.53 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1357702404.217:2747566): user pid=15121 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="test" exe="/usr/sbin/sshd" hostname=192.20.11.53 addr=192.20.11.53 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1357702404.218:2747567): user pid=15121 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.20.11.53 terminal=ssh res=failed'
type=USER_LOGIN msg=audit(1357702426.597:2747578): user pid=15121 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="test" exe="/usr/sbin/sshd" hostname=? addr=192.20.11.53 terminal=ssh res=failed'

Last edited by project.linux.proj; 01-09-2013 at 04:32 AM.
 
Old 01-09-2013, 07:19 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
The first item is the type of message (see 'ausearch -m'), originating from (the PAM stack for) a service or login. uid=0 means the process runs with root account rights, the "auid=4294967295" means the process isn't known to the audit service (possibly started before the audit service was started) and the message means the OpenSSH daemon didn't allow the "test" account to ssh in. IMNSHO one shouldn't have accounts named "test" anyway (use an unique, not-so-easy-to-guess name instead) and guard access rights for testing accounts just like one would for any other account. Check /var/log/secure or equivalent first if this is correct: you should see failed logins there.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
error in line 5 of /etc/audit/audit.rules RHEL5u3 abti Red Hat 1 04-06-2010 06:42 PM
How to save audit logs to remote host. Rossonero224 Linux - Security 2 12-28-2009 02:20 AM
What logs are needed for an audit trail and where can I see an example of one? abefroman Linux - Security 4 08-06-2008 09:25 AM
GUI to view audit logs mgk720 Linux - Security 3 01-29-2008 08:41 PM
LXer: Tips from an RHCE: Visualizing audit logs with mkbar LXer Syndicated Linux News 0 01-23-2008 01:41 AM


All times are GMT -5. The time now is 05:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration