I was given the unthankful job of creating an audit trail system in our company. It now mostly works ok, but there is a big issue of
Code: Select all
"At 10:15:23 05/14/2021 did-unknown "
The one above in unformatted form looks like this:
Code: Select all
time->Fri May 14 10:15:23 2021
type=PROCTITLE msg=audit(1620976523.213:73): proctitle=2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573
type=PATH msg=audit(1620976523.213:73): item=0 name="/etc/" inode=34603009 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(1620976523.213:73): saddr=100000000000000000000000
type=SYSCALL msg=audit(1620976523.213:73): arch=c000003e syscall=44 success=yes exit=1076 a0=3 a1=7ffc67696050 a2=434 a3=0 items=1 ppid=974 pid=984 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auditctl" exe="/sbin/auditctl" key=(null)
type=CONFIG_CHANGE msg=audit(1620976523.213:73): auid=4294967295 ses=4294967295 op=add_rule key="etcpasswd" list=4 res=1
Code: Select all
-w /etc/passwd -p wa -k etcpasswd
However,
Code: Select all
aureport -au
I am using Linux Mint 19.2. Cinnamon with the kernel 5.4.0. and the standard Linux auditd package