2004-04-25T11:30:35 0 4993 root [AUDIT_start] audit system started 2004-04-25T11:33:53 0 5147 -1 [PROC_auditid] ioctl("/dev/audit", AUIOCSETAUDITID, [data, len=0]); result=0 2004-04-25T11:33:53 1 5147 thomas [AUDIT_login] LOGIN: uid=500, hostname=loghost, address=172.16.0.10, terminal=NODEVssh, executable=/usr/sbin/sshd 2004-04-25T11:33:53 2 5147 thomas [FILE_open] open("/dev/audit", O_RDWR); result=3 2004-04-25T11:33:53 3 5147 thomas [AUTH_success] PAM accounting: user=thomas (hostname=loghost, addr=172.16.0.10, terminal=NODEVssh) 2004-04-25T11:33:53 4 5149 thomas [PROC_realgid] setgid32(100); result=0 2004-04-25T11:33:53 5 5149 thomas [PROC_realgid] setgroups32(6, [100, 14, 16, 17, 33, 42]); result=0 2004-04-25T11:33:53 6 5149 thomas [PROC_realgid] setgid32(100); result=0 2004-04-25T11:33:53 7 5149 thomas [PRIV_userchange] setuid32(500); result=0 2004-04-25T11:33:53 8 5147 thomas [FILE_open] open("/dev/pts/5", O_RDWR|O_NOCTTY); result=6 2004-04-25T11:33:53 9 5147 thomas [FILE_owner] chown32("/dev/pts/5", 500, 5); result=0 2004-04-25T11:33:53 10 5149 thomas [FILE_open] open("/dev/audit", O_RDWR); result=-13 ["Permission denied"] 2004-04-25T11:33:53 11 5150 thomas [PROC_execute] execve("/bin/bash", ["-bash"], [data, len=0]) 2004-04-25T11:33:53 12 5147 thomas [FILE_create] open("/var/log/lastlog", O_RDWR|O_CREAT|O_LARGEFILE, 02000); result=7 2004-04-25T11:33:53 13 5152 thomas [PROC_execute] execve("/bin/ls", ["/bin/ls", "-l", "/proc/5150/exe"], [data, len=0]) 2004-04-25T11:33:54 14 5154 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:54 15 5154 thomas [PROC_execute] execve("/usr/bin/tty", ["tty"], [data, len=0]) 2004-04-25T11:33:54 16 5155 thomas [PROC_execute] execve("/bin/stty", ["/bin/stty", "sane", "cr0", "pass8", "dec"], [data, len=0]) 2004-04-25T11:33:54 17 5156 thomas [PROC_execute] execve("/usr/bin/tset", ["/usr/bin/tset", "-I", "-Q"], [data, len=0]) 2004-04-25T11:33:54 18 5158 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:54 19 5158 thomas [PROC_execute] execve("/bin/hostname", ["hostname", "-s"], [data, len=0]) 2004-04-25T11:33:54 20 5160 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:54 21 5160 thomas [PROC_execute] execve("/bin/uname", ["uname", "-m"], [data, len=0]) 2004-04-25T11:33:54 22 5162 thomas [PROC_execute] execve("/usr/bin/manpath", ["/usr/bin/manpath", "-q"], [data, len=0]) 2004-04-25T11:33:54 23 5163 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:54 24 5164 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:54 25 5164 thomas [PROC_execute] execve("/bin/grep", ["grep", "0300.*121a.*0003"], [data, len=0]) 2004-04-25T11:33:54 26 5163 thomas [PROC_execute] execve("/sbin/lspci", ["/sbin/lspci", "-n"], [data, len=0]) 2004-04-25T11:33:55 27 5166 thomas [PROC_execute] execve("/usr/bin/dircolors", ["dircolors", "-b", "/etc/DIR_COLORS"], [data, len=0]) 2004-04-25T11:33:55 28 5150 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:55 29 5150 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:55 30 5150 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:33:55 31 5150 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:05 32 5149 thomas [FILE_open] open("/dev/audit", O_RDWR); result=-13 ["Permission denied"] 2004-04-25T11:37:05 33 5147 thomas [FILE_owner] chown32("/dev/pts/5", 0, 0); result=0 2004-04-25T11:37:05 34 5147 thomas [FILE_mode] chmod("/dev/pts/5", 0666); result=0 2004-04-25T11:37:06 35 6768 -1 [PROC_auditid] ioctl("/dev/audit", AUIOCSETAUDITID, [data, len=0]); result=0 2004-04-25T11:37:06 36 6768 thomas [AUDIT_login] LOGIN: uid=500, hostname=loghost, address=172.16.0.10, terminal=NODEVssh, executable=/usr/sbin/sshd 2004-04-25T11:37:06 37 6768 thomas [FILE_open] open("/dev/audit", O_RDWR); result=3 2004-04-25T11:37:06 38 6768 thomas [AUTH_success] PAM accounting: user=thomas (hostname=loghost, addr=172.16.0.10, terminal=NODEVssh) 2004-04-25T11:37:06 39 6770 thomas [PROC_realgid] setgid32(100); result=0 2004-04-25T11:37:06 40 6770 thomas [PROC_realgid] setgroups32(6, [100, 14, 16, 17, 33, 42]); result=0 2004-04-25T11:37:06 41 6770 thomas [PROC_realgid] setgid32(100); result=0 2004-04-25T11:37:06 42 6770 thomas [PRIV_userchange] setuid32(500); result=0 2004-04-25T11:37:06 43 6768 thomas [FILE_open] open("/dev/pts/5", O_RDWR|O_NOCTTY); result=6 2004-04-25T11:37:06 44 6768 thomas [FILE_owner] chown32("/dev/pts/5", 500, 5); result=0 2004-04-25T11:37:06 45 6768 thomas [FILE_create] open("/var/log/lastlog", O_RDWR|O_CREAT|O_LARGEFILE, 02000); result=7 2004-04-25T11:37:06 46 6770 thomas [FILE_open] open("/dev/audit", O_RDWR); result=-13 ["Permission denied"] 2004-04-25T11:37:06 47 6771 thomas [PROC_execute] execve("/bin/bash", ["-bash"], [data, len=0]) 2004-04-25T11:37:06 48 6773 thomas [PROC_execute] execve("/bin/ls", ["/bin/ls", "-l", "/proc/6771/exe"], [data, len=0]) 2004-04-25T11:37:07 49 6775 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 50 6775 thomas [PROC_execute] execve("/usr/bin/tty", ["tty"], [data, len=0]) 2004-04-25T11:37:07 51 6776 thomas [PROC_execute] execve("/bin/stty", ["/bin/stty", "sane", "cr0", "pass8", "dec"], [data, len=0]) 2004-04-25T11:37:07 52 6777 thomas [PROC_execute] execve("/usr/bin/tset", ["/usr/bin/tset", "-I", "-Q"], [data, len=0]) 2004-04-25T11:37:07 53 6779 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 54 6779 thomas [PROC_execute] execve("/bin/hostname", ["hostname", "-s"], [data, len=0]) 2004-04-25T11:37:07 55 6781 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 56 6781 thomas [PROC_execute] execve("/bin/uname", ["uname", "-m"], [data, len=0]) 2004-04-25T11:37:07 57 6783 thomas [PROC_execute] execve("/usr/bin/manpath", ["/usr/bin/manpath", "-q"], [data, len=0]) 2004-04-25T11:37:07 58 6784 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 59 6784 thomas [PROC_execute] execve("/sbin/lspci", ["/sbin/lspci", "-n"], [data, len=0]) 2004-04-25T11:37:07 60 6785 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 61 6785 thomas [PROC_execute] execve("/bin/grep", ["grep", "0300.*121a.*0003"], [data, len=0]) 2004-04-25T11:37:07 62 6787 thomas [PROC_execute] execve("/usr/bin/dircolors", ["dircolors", "-b", "/etc/DIR_COLORS"], [data, len=0]) 2004-04-25T11:37:07 63 6771 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 64 6771 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 65 6771 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:07 66 6771 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:09 67 6788 thomas [PROC_execute] execve("/bin/su", ["/bin/su", "-"], [data, len=0]) 2004-04-25T11:37:09 68 6788 thomas [FILE_open] open("/etc/shadow", O_RDONLY); result=3 2004-04-25T11:37:09 69 6788 thomas [FILE_create] open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC, 0666); result=3 2004-04-25T11:37:12 70 6788 thomas [FILE_open] open("/dev/audit", O_RDWR); result=3 2004-04-25T11:37:12 71 6788 thomas [AUTH_success] PAM authentication: user=root (hostname=?, addr=?, terminal=pts/5) 2004-04-25T11:37:12 72 6788 thomas [FILE_open] open("/etc/shadow", O_RDONLY); result=3 2004-04-25T11:37:12 73 6788 thomas [FILE_open] open("/dev/audit", O_RDWR); result=3 2004-04-25T11:37:12 74 6788 thomas [AUTH_success] PAM accounting: user=root (hostname=?, addr=?, terminal=pts/5) 2004-04-25T11:37:12 75 6788 thomas [PROC_realgid] setgroups32(1, [0]); result=0 2004-04-25T11:37:12 76 6788 thomas [PROC_realgid] setgid32(0); result=0 2004-04-25T11:37:12 77 6788 thomas [PRIV_userchange] setuid32(0); result=0 2004-04-25T11:37:12 78 6788 thomas [FILE_open] open("/dev/audit", O_RDWR); result=4 2004-04-25T11:37:12 79 6788 thomas [AUTH_success] PAM session open: user=root (hostname=?, addr=?, terminal=pts/5) 2004-04-25T11:37:12 80 6792 thomas [PROC_execute] execve("/bin/bash", ["-bash"], [data, len=0]) 2004-04-25T11:37:12 81 6794 thomas [PROC_execute] execve("/bin/ls", ["/bin/ls", "-l", "/proc/6792/exe"], [data, len=0]) 2004-04-25T11:37:12 82 6796 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 83 6796 thomas [PROC_execute] execve("/usr/bin/tty", ["tty"], [data, len=0]) 2004-04-25T11:37:12 84 6798 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 85 6798 thomas [PROC_execute] execve("/bin/hostname", ["hostname", "-s"], [data, len=0]) 2004-04-25T11:37:12 86 6800 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 87 6800 thomas [PROC_execute] execve("/bin/uname", ["uname", "-m"], [data, len=0]) 2004-04-25T11:37:12 88 6802 thomas [PROC_execute] execve("/usr/bin/manpath", ["/usr/bin/manpath", "-q"], [data, len=0]) 2004-04-25T11:37:12 89 6803 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 90 6803 thomas [PROC_execute] execve("/sbin/lspci", ["/sbin/lspci", "-n"], [data, len=0]) 2004-04-25T11:37:12 91 6804 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 92 6804 thomas [PROC_execute] execve("/bin/grep", ["grep", "0300.*121a.*0003"], [data, len=0]) 2004-04-25T11:37:12 93 6806 thomas [PROC_execute] execve("/usr/bin/dircolors", ["dircolors", "-b", "/etc/DIR_COLORS"], [data, len=0]) 2004-04-25T11:37:12 94 6792 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 95 6792 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 96 6792 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:12 97 6792 thomas [FILE_create] open("/dev/null", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666); result=3 2004-04-25T11:37:16 98 6807 thomas [PROC_execute] execve("/usr/sbin/aucat", ["aucat"], [data, len=0]) 2004-04-25T11:37:16 99 6807 thomas [FILE_open] open("/var/log/audit.d/bin.0", O_RDONLY); result=3 2004-04-25T11:37:29 100 6792 thomas [FILE_open] open("/root/.bash_history", O_WRONLY|O_APPEND); result=3 2004-04-25T11:37:29 101 6792 thomas [FILE_open] open("/root/.bash_history", O_WRONLY|O_TRUNC); result=3 2004-04-25T11:37:29 102 6788 thomas [FILE_open] open("/dev/audit", O_RDWR); result=4 2004-04-25T11:37:29 103 6788 thomas [AUTH_success] PAM session close: user=root (hostname=?, addr=?, terminal=pts/5)