Quote:
Originally Posted by syg00
"user-space" simply means "non-kernel"; it is used to differentiate the two. Anything running in kernel-space is by definition running at elevated privilege.
A user is simply an entity that can be authenticated - it doesn't need to be a carbon-based lifeform; it might be a daemon for example.
|
Thanks for your answer,
My goal is to map authentication events from users, and SU escalations, how can I tell one from another? When I make a SU escalation to become root, it still count as user-space? I can't understand the difference between the type=LOGIN, type=USER_AUTH, and type=USER_LOGIN
The documentation says:
USER_LOGIN Triggered when a user logs in.
USER_AUTH Triggered when a user-space authentication attempt is detected.
LOGIN Triggered to record relevant login information when a user log in to access the system.
It seems almost the same to me. The login type in particular, it seems clear in the description but if you go to the event the information on the 3 types is the same, i will put some examples:
type=USER_START
type=USER_START msg=audit(1525986087.087:237990257): pid=8122 uid=0 auid=12146 ses=160852 msg='op=login id=12146 exe="/usr/sbin/sshd" hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'
type=USER_START msg=audit(1525986085.548:820853741): pid=233420 uid=0 auid=10227 ses=717619 msg='op=login id=10227 exe="/usr/sbin/sshd"
hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'
type=USER_AUTH
type=USER_AUTH msg=audit(1525986161.640:166561985): user pid=4342 uid=0 auid=0 ses=1936215 msg='op=PAM:authentication acct="sondeos" exe="/usr/sbin/sshd" hostname=200.123.177.97 addr=200.123.177.97 terminal=ssh res=success'
type=USER_AUTH msg=audit(1525986155.563:166561959): user pid=4340 uid=0 auid=0 ses=1936215 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=193.201.224.212 addr=193.201.224.212 terminal=ssh res=failed'
type=LOGIN
type=LOGIN msg=audit(1525986121.139:237995974): pid=12650 uid=0 old-auid=4294967295 auid=1500 old-ses=4294967295 ses=160854 res=1
type=LOGIN msg=audit(1525986120.593:166561282): pid=3973 uid=0 old auid=0 new auid=792 old ses=1936215 new ses=1953641
type=USER_LOGIN
type=USER_LOGIN msg=audit(1525986087.032:237990246): pid=8122 uid=0 auid=12146 ses=160852 msg='op=login id=12146 exe="/usr/sbin/sshd" hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'
type=USER_LOGIN msg=audit(1525986085.895:237990094): pid=8010 uid=0 auid=12146 ses=160851 msg='op=login id=12146 exe="/usr/sbin/sshd" hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'
Thanks in advance!