adriansr/auditd USER_AUTH USER_LOGIN

## auditd USER_AUTH USER_LOGIN

# local login failed

      "type=USER_AUTH msg=audit(1553622768.697:628): pid=6261 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"
      "type=USER_LOGIN msg=audit(1553622768.697:629): pid=6261 uid=0 auid=1002 ses=40 msg='op=login acct=\"root\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"


# local login succeeded
      "type=USER_AUTH msg=audit(1553622784.557:630): pid=6261 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=success'"
      "type=USER_LOGIN msg=audit(1553622784.973:634): pid=6261 uid=0 auid=1002 ses=40 msg='op=login acct=\"adrian\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=success'"


# SSH from remote
      "type=USER_LOGIN msg=audit(1553621402.493:548): pid=5858 uid=0 auid=1000 ses=37 msg='op=login id=1000 exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/1 res=success'"

# SSH from local, failure
      "type=USER_AUTH msg=audit(1553621419.693:549): pid=5936 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=failed'"
      "type=USER_LOGIN msg=audit(1553621419.693:550): pid=5936 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=? addr=127.0.0.1 terminal=sshd res=failed'"

# SSH from local, success
      "type=USER_AUTH msg=audit(1553621439.149:551): pid=5941 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=success'"
      "type=USER_LOGIN msg=audit(1553621439.633:561): pid=5941 uid=0 auid=1002 ses=38 msg='op=login id=1002 exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=/dev/pts/2 res=success'"

# SSH from remote, key failed
      "type=USER_LOGIN msg=audit(1553621480.001:567): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=? addr=10.0.2.2 terminal=sshd res=failed'"
# ... then fail password
      "type=USER_AUTH msg=audit(1553621498.857:568): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=failed'"
      "type=USER_LOGIN msg=audit(1553621498.857:569): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=? addr=10.0.2.2 terminal=sshd res=failed'"
# ... then right password
      "type=USER_AUTH msg=audit(1553621512.245:570): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'"
      "type=USER_LOGIN msg=audit(1553621512.681:580): pid=6036 uid=0 auid=1002 ses=40 msg='op=login id=1002 exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/1 res=success'"

# su - failure

      "type=USER_AUTH msg=audit(1553621536.361:581): pid=6129 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"

# sudo failure

      "type=USER_AUTH msg=audit(1553621549.941:583): pid=6130 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"
      "type=USER_AUTH msg=audit(1553621555.529:584): pid=6130 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"


# su <username>
      "type=USER_AUTH msg=audit(1553621598.789:587): pid=6138 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"vagrant\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"
# sudo <something> success

(nothing)

# sudo su
      "type=USER_AUTH msg=audit(1553621630.597:599): pid=6154 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"

# sudo su -
      "type=USER_AUTH msg=audit(1553621645.241:611): pid=6167 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"

	# local login failed

	"type=USER_AUTH msg=audit(1553622768.697:628): pid=6261 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"
	"type=USER_LOGIN msg=audit(1553622768.697:629): pid=6261 uid=0 auid=1002 ses=40 msg='op=login acct=\"root\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"


	# local login succeeded
	"type=USER_AUTH msg=audit(1553622784.557:630): pid=6261 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=success'"
	"type=USER_LOGIN msg=audit(1553622784.973:634): pid=6261 uid=0 auid=1002 ses=40 msg='op=login acct=\"adrian\" exe=\"/bin/login\" hostname=? addr=? terminal=/dev/pts/1 res=success'"



	# SSH from remote
	"type=USER_LOGIN msg=audit(1553621402.493:548): pid=5858 uid=0 auid=1000 ses=37 msg='op=login id=1000 exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/1 res=success'"

	# SSH from local, failure
	"type=USER_AUTH msg=audit(1553621419.693:549): pid=5936 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=failed'"
	"type=USER_LOGIN msg=audit(1553621419.693:550): pid=5936 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=? addr=127.0.0.1 terminal=sshd res=failed'"

	# SSH from local, success
	"type=USER_AUTH msg=audit(1553621439.149:551): pid=5941 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=ssh res=success'"
	"type=USER_LOGIN msg=audit(1553621439.633:561): pid=5941 uid=0 auid=1002 ses=38 msg='op=login id=1002 exe=\"/usr/sbin/sshd\" hostname=127.0.0.1 addr=127.0.0.1 terminal=/dev/pts/2 res=success'"

	# SSH from remote, key failed
	"type=USER_LOGIN msg=audit(1553621480.001:567): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=? addr=10.0.2.2 terminal=sshd res=failed'"
	# ... then fail password
	"type=USER_AUTH msg=audit(1553621498.857:568): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=failed'"
	"type=USER_LOGIN msg=audit(1553621498.857:569): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=? addr=10.0.2.2 terminal=sshd res=failed'"
	# ... then right password
	"type=USER_AUTH msg=audit(1553621512.245:570): pid=6036 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=ssh res=success'"
	"type=USER_LOGIN msg=audit(1553621512.681:580): pid=6036 uid=0 auid=1002 ses=40 msg='op=login id=1002 exe=\"/usr/sbin/sshd\" hostname=10.0.2.2 addr=10.0.2.2 terminal=/dev/pts/1 res=success'"

	# su - failure

	"type=USER_AUTH msg=audit(1553621536.361:581): pid=6129 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"

	# sudo failure

	"type=USER_AUTH msg=audit(1553621549.941:583): pid=6130 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"
	"type=USER_AUTH msg=audit(1553621555.529:584): pid=6130 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"adrian\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=failed'"


	# su <username>
	"type=USER_AUTH msg=audit(1553621598.789:587): pid=6138 uid=1002 auid=1002 ses=40 msg='op=PAM:authentication acct=\"vagrant\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"
	# sudo <something> success

	(nothing)

	# sudo su
	"type=USER_AUTH msg=audit(1553621630.597:599): pid=6154 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"

	# sudo su -
	"type=USER_AUTH msg=audit(1553621645.241:611): pid=6167 uid=0 auid=1002 ses=40 msg='op=PAM:authentication acct=\"root\" exe=\"/bin/su\" hostname=? addr=? terminal=/dev/pts/1 res=success'"