#3 AUD_CONFIG_WR

open
nobody
None
5
2005-07-26
2005-07-26
Vadim Korsak
No

I use AIX 5.3, and with default audit (general class is
assigned) got strange messges when login through ssh:

event login status time
command
--------------- -------- -----------
------------------------ -------------------------------
S_PASSWD_READ root OK Tue Jul 26
08:55:52 2005 sshd
audit object read event detected
/etc/security/passwd
S_PASSWD_READ root OK Tue Jul 26
08:55:52 2005 sshd
audit object read event detected
/etc/security/passwd
AUD_CONFIG_WR user1 FAIL Tue Jul 26 08:55:52
2005 sshd
audit object write event detected
/etc/security/audit/config
FS_Mkdir user1 OK Tue Jul 26 08:55:52
2005 sshd
mode: 700 dir: /tmp/ssh-VNrJ266462
FS_Chdir user1 OK Tue Jul 26 08:55:53
2005 sshd
change current directory to: /home/user1

IS THAT OK?

Discussion