Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User TTY menu only shows root executed commands #31

Open
donixa opened this issue May 5, 2020 · 1 comment
Open

User TTY menu only shows root executed commands #31

donixa opened this issue May 5, 2020 · 1 comment

Comments

@donixa
Copy link

donixa commented May 5, 2020

Hello I see I can only see root user only in menu User TTY,
is this expected?

aureport --tty shows only this for 1002 uid:

`406. 05/05/2020 17:23:10 1653 0 pts1 12 bash "\000\000\000hostnamectl",,,,"ctl | grep vm",
407. 05/05/2020 17:23:10 1654 0 ? 12 ? "hostnamectl | grep vm"
408. 05/05/2020 17:23:17 1675 0 pts0 1 bash "\000\000\000\000",,
409. 05/05/2020 17:23:17 1676 0 ? 1 ? "aureport --tty"

  1. 05/05/2020 17:24:30 1802 1002 pts2 13 bash "hostnamectl",,,,"ctl | grep vm",,"exit",`

I presume thats why it does not generate expected event data for User TTY saved search to consume?

Or may be you have other req to make it work? I see from how you write at your doc it should include "users" so not just root?
https://github.com/doksu/splunk_auditd/wiki/About-Auditd

may be need to update kernel? I use 5.x... centos 7.x
@donixa
Copy link
Author

donixa commented May 5, 2020

2020-05-05_211744

here you go correct view of aureport --tty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@donixa