looks like auditd logging is a bit tweaked.
eero
26.10.2016 6.11 ip. <m.roth@xxxxxxxxx> kirjoitti:
> The recently-left programmer did *something*, and he didn't know what, and
> the guy who picked it up is working with me to find out why
> /var/log/messages is getting flooded with
> Oct 26 11:01:06 <servername> kernel: type=1105
> audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0
> msg='op=PAM:session_open
> grantors=pam_keyinit,pam_keyinit,pam_limits,pam_
> systemd,pam_unix,pam_krb5,pam_xauth
> acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
> Oct 26 11:01:06 <servername> kernel: type=1106
> audit(1477494066.620:642431): pid=108548 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0
> msg='op=PAM:session_close
> grantors=pam_keyinit,pam_keyinit,pam_limits,pam_
> systemd,pam_unix,pam_krb5,pam_xauth
> acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
> Oct 26 11:01:06 <servername> kernel: type=1104
> audit(1477494066.620:642432): pid=108548 uid=0 auid=4294967295
> ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0
> msg='op=PAM:setcred grantors=pam_rootok acct="<user>" exe="/usr/bin/su"
> hostname=? addr=? terminal=? res=success'
>
> Oct 26 11:01:11 <servername> su: (to <user>) root on none
> Oct 26 11:01:11 <servername> su: (to <user>) root on none
> Oct 26 11:01:11 <servername> systemd: Started Session c21839 of user
> <user>.
>
> Other folks can submit jobs to slurm, and we don't get anything like this.
>
> Feel free to contact me offlist....
>
> mark
> Oct 26 11:01:11 <servername> systemd: Starting Session c21839 of user
> <user>.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
