Help me to understand Audit.log

3dgjos · 05-18-2018, 03:30 PM

Hello, I'm parsing the audit log from some redhat servers to put them into Splunk. im helping myself with the documentation: https://access.redhat.com/documentat...t_Record_Types

but im starting to get confused. I have to distinguish between user-space and user:

USER_AUTH (Triggered when a user-space authentication attempt is detected.)

USER_LOGIN (Triggered when a user logs in.)

several fields refers to user, some other to user-space. My question is: what's the difference between user and user space? because I found auth events to both user and user-space.

Thanks!

syg00 · 05-20-2018, 02:17 AM

"user-space" simply means "non-kernel"; it is used to differentiate the two. Anything running in kernel-space is by definition running at elevated privilege.
A user is simply an entity that can be authenticated - it doesn't need to be a carbon-based lifeform; it might be a daemon for example.

3dgjos · 05-20-2018, 10:21 PM

Quote:

Originally Posted by syg00

"user-space" simply means "non-kernel"; it is used to differentiate the two. Anything running in kernel-space is by definition running at elevated privilege.
A user is simply an entity that can be authenticated - it doesn't need to be a carbon-based lifeform; it might be a daemon for example.

Thanks for your answer,

My goal is to map authentication events from users, and SU escalations, how can I tell one from another? When I make a SU escalation to become root, it still count as user-space? I can't understand the difference between the type=LOGIN, type=USER_AUTH, and type=USER_LOGIN

The documentation says:

USER_LOGIN Triggered when a user logs in.
USER_AUTH Triggered when a user-space authentication attempt is detected.
LOGIN Triggered to record relevant login information when a user log in to access the system.

It seems almost the same to me. The login type in particular, it seems clear in the description but if you go to the event the information on the 3 types is the same, i will put some examples:

type=USER_START

type=USER_START msg=audit(1525986087.087:237990257): pid=8122 uid=0 auid=12146 ses=160852 msg='op=login id=12146 exe="/usr/sbin/sshd" hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'

type=USER_START msg=audit(1525986085.548:820853741): pid=233420 uid=0 auid=10227 ses=717619 msg='op=login id=10227 exe="/usr/sbin/sshd"
hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'

type=USER_AUTH

type=USER_AUTH msg=audit(1525986161.640:166561985): user pid=4342 uid=0 auid=0 ses=1936215 msg='op=PAM:authentication acct="sondeos" exe="/usr/sbin/sshd" hostname=200.123.177.97 addr=200.123.177.97 terminal=ssh res=success'

type=USER_AUTH msg=audit(1525986155.563:166561959): user pid=4340 uid=0 auid=0 ses=1936215 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=193.201.224.212 addr=193.201.224.212 terminal=ssh res=failed'

type=LOGIN

type=LOGIN msg=audit(1525986121.139:237995974): pid=12650 uid=0 old-auid=4294967295 auid=1500 old-ses=4294967295 ses=160854 res=1

type=LOGIN msg=audit(1525986120.593:166561282): pid=3973 uid=0 old auid=0 new auid=792 old ses=1936215 new ses=1953641

type=USER_LOGIN

type=USER_LOGIN msg=audit(1525986087.032:237990246): pid=8122 uid=0 auid=12146 ses=160852 msg='op=login id=12146 exe="/usr/sbin/sshd" hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'

type=USER_LOGIN msg=audit(1525986085.895:237990094): pid=8010 uid=0 auid=12146 ses=160851 msg='op=login id=12146 exe="/usr/sbin/sshd" hostname=rgdedbp1823.dtvpan.com addr=172.22.127.137 terminal=ssh res=success'

Thanks in advance!