Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Process Not Recorded Correctly in audit.log

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-13-2009, 12:41 PM
Loyal Member
  
Posts: 89
Default Process Not Recorded Correctly in audit.log
First off, everything seems to work just fine. This is a little esoteric so please bear with me...

I'm looking for whatever this is: (in /var/log/audit/audit.log)
Code:
cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573
Some back story:
1) This is on a RHEL 5.3 x86_64 box w/ ZCS 5.0.16 x86_64
1) The entire install and configuration of the server I'm building is scripted.
2) This anomaly only occurs first in the middle of the ZCS-NE install script, about the time it's installing openldap; thereafter in perpetuity as well.
3) My script really just kicks-off the zimbra installer script and feeds the parameters as needed.
4) If I comment out the ZCS-NE portion of the install script (installing only BIND/Samba) I never see this in the audit log.

While I'm watching my audit logs I'm seeing 2 funky entries that run in a cyclical manner. The cycles are differentiated thus:

msg='cwd="/" cmd=2F6...
msg='cwd="/opt/zimbra" cmd=2F6...

Code:
# tail -f /var/log/audit/audit.log

EPOCH Time: Saturday, September 12, 2009 8:59:36 PM		-		Cycle 1
type=CRED_ACQ msg=audit(1252807176.188:262726): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_START msg=audit(1252807176.188:262727): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_END msg=audit(1252807176.188:262728): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_CMD msg=audit(1252807176.190:262729): user pid=24183 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'

EPOCH Time: Saturday, September 12, 2009 9:01:01 PM		-		Cycle 1
type=CRED_ACQ msg=audit(1252807261.801:262764): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_START msg=audit(1252807261.801:262765): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_END msg=audit(1252807261.801:262766): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_CMD msg=audit(1252807261.803:262767): user pid=25120 uid=0 auid=0 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
the interval seems to be 1m 25s
===
EPOCH Time: Saturday, September 12, 2009 9:00:13 PM		-		Cycle 2
type=CRED_ACQ msg=audit(1252807213.856:262750): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_START msg=audit(1252807213.856:262751): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_END msg=audit(1252807213.857:262752): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_CMD msg=audit(1252807213.858:262753): user pid=24674 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'

EPOCH Time: Saturday, September 12, 2009 9:02:07 PM		-		Cycle 2
type=CRED_ACQ msg=audit(1252807327.959:262780): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_START msg=audit(1252807327.959:262781): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_END msg=audit(1252807327.960:262782): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=zerver.ptest.us, addr=10.0.0.14, terminal= res=success)'
type=USER_CMD msg=audit(1252807327.961:262783): user pid=25542 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
the interval seems to be 2m 6s
Like I say, everything works. I'd really like to know what this is though. And, if this shows in anyone elses' audit.log

Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:43 AM..
Reply With Quote
  #2 (permalink)  
Old 09-14-2009, 04:28 AM
Outstanding Member
  
Posts: 594
Default
You are checking wrong audit.log file. Zimbra doesn't log in /var/log/audit/audit.log rather is /opt/zimbra/log/audit.log file.
Reply With Quote
  #3 (permalink)  
Old 09-14-2009, 07:42 AM
Loyal Member
  
Posts: 89
Default
I believe auditd writes any/all auth to the system log. If an application has to auth before interacting with the system it get's logged here:
Code:
# tail -f /var/log/audit/audit.log
type=LOGIN msg=audit(1256532361.646:5148): login pid=28000 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=276
type=USER_START msg=audit(1256532361.650:5149): user pid=28000 uid=0 auid=500 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="zimbra" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1256532367.457:5150): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
type=USER_START msg=audit(1256532367.458:5151): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
type=USER_END msg=audit(1256532367.458:5152): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
type=USER_CMD msg=audit(1256532367.459:5153): user pid=28224 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd=2F6F70742F7A696D6272612F6C6962657865632F7A6D6D61696C626F78646D677220737461747573 (terminal=? res=success)'
type=CRED_ACQ msg=audit(1256532367.519:5154): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
type=USER_START msg=audit(1256532367.520:5155): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
type=USER_END msg=audit(1256532367.520:5156): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=host.domain.com, addr=10.0.0.14, terminal=? res=success)'
type=USER_CMD msg=audit(1256532367.521:5157): user pid=28244 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/opt/zimbra" cmd="/opt/zimbra/libexec/zmmtastatus" (terminal=? res=success)'
So, help me to understand how Zimbra is not authing, so that it can execute commands on the system? auid=500 (=zimbra by the way)

Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:44 AM..
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.