Skip to content

Instantly share code, notes, and snippets.

@adriansr

adriansr/auditd USER_AUTH USER_LOGIN

Last active July 3, 2023 10:47
Download ZIP

Revisions

  1. adriansr revised this gist Mar 26, 2019. 1 changed file with 13 additions and 0 deletions.
    13 changes: 13 additions & 0 deletions auditd USER_AUTH USER_LOGIN
    View file
    Original file line number Diff line number Diff line change
    @@ -1,3 +1,16 @@

    # local login failed

    "type=USER_AUTH msg=audit(1553622768.697:628): pid=6261 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"
    "type=USER_LOGIN msg=audit(1553622768.697:629): pid=6261 uid=0 auid=1002 ses=40 msg='op=login acct=\"root\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"


    # local login succeeded
    "type=USER_AUTH msg=audit(1553622784.557:630): pid=6261 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=success'"
    "type=USER_LOGIN msg=audit(1553622784.973:634): pid=6261 uid=0 auid=1002 ses=40 msg='op=login acct=\"adrian\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=success'"



    # SSH from remote
    "type=USER_LOGIN msg=audit(1553621402.493:548): pid=5858 uid=0 auid=1000 ses=37 msg='op=login id=1000 exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/1 res=success'"

  2. adriansr created this gist Mar 26, 2019.
    43 changes: 43 additions & 0 deletions auditd USER_AUTH USER_LOGIN
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,43 @@
    # SSH from remote
    "type=USER_LOGIN msg=audit(1553621402.493:548): pid=5858 uid=0 auid=1000 ses=37 msg='op=login id=1000 exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/1 res=success'"

    # SSH from local, failure
    "type=USER_AUTH msg=audit(1553621419.693:549): pid=5936 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=failed'"
    "type=USER_LOGIN msg=audit(1553621419.693:550): pid=5936 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=? addr=127.0.0.1 terminal=sshd res=failed'"

    # SSH from local, success
    "type=USER_AUTH msg=audit(1553621439.149:551): pid=5941 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=success'"
    "type=USER_LOGIN msg=audit(1553621439.633:561): pid=5941 uid=0 auid=1002 ses=38 msg='op=login id=1002 exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=/dev/pts/2 res=success'"

    # SSH from remote, key failed
    "type=USER_LOGIN msg=audit(1553621480.001:567): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=? addr=10.0.2.2 terminal=sshd res=failed'"
    # ... then fail password
    "type=USER_AUTH msg=audit(1553621498.857:568): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=failed'"
    "type=USER_LOGIN msg=audit(1553621498.857:569): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=? addr=10.0.2.2 terminal=sshd res=failed'"
    # ... then right password
    "type=USER_AUTH msg=audit(1553621512.245:570): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'"
    "type=USER_LOGIN msg=audit(1553621512.681:580): pid=6036 uid=0 auid=1002 ses=40 msg='op=login id=1002 exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/1 res=success'"

    # su - failure

    "type=USER_AUTH msg=audit(1553621536.361:581): pid=6129 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"

    # sudo failure

    "type=USER_AUTH msg=audit(1553621549.941:583): pid=6130 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"
    "type=USER_AUTH msg=audit(1553621555.529:584): pid=6130 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"


    # su <username>
    "type=USER_AUTH msg=audit(1553621598.789:587): pid=6138 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"vagrant\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"
    # sudo <something> success

    (nothing)

    # sudo su
    "type=USER_AUTH msg=audit(1553621630.597:599): pid=6154 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"

    # sudo su -
    "type=USER_AUTH msg=audit(1553621645.241:611): pid=6167 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"