In the examples below, user mapping is enabled: uid=#(username) and gid=#(groupname). In the event that user mapping is disabled, all instances of uid=# and gid=# are replaced with uid=0 and gid=0.
Outbound Network Connectivity.
These messages are generated by firewalld and represent all outbound network traffic with the exception of traffic to known addresses used for Oracle monitoring.
The following example shows messages as they are seen on the system that receives the forwarded syslog messages.
Result from an SSH/SCP command:
Start ssh 2022-12-09T11:41:55.587734-05:00 HS gatewaynode.example.com HE [kern.info] MS - 0:0:0:0:0:0:0:1 NA: 2022-12-09T17:20:26.946315+00:00 ct- gateway-01 iptables: TCP_CONN_START IN= OUT=enp1s0 SRC=gw.gw.gw.gw DST=host.host.host.host LEN=60 TOS= 0x00 PREC=0x00 TTL=64 ID=55848 DF PROTO=TCP SPT=16890 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0 UID=1000(jdoe) GID=1001(jdoe) MARK= 0x1 End of ssh 2022-12-09T11:41:55.587734-05:00 HS gatewaynode.example.com HE [kern.info] MS - 0:0:0:0:0:0:0:1 NA: 2022-12-09T17:20:36.450377+00:00 ct- gateway-01 iptables: TCP_CONN_END IN= OUT=enp1s0 SRC=gw.gw.gw.gw DST=host.host.host.host LEN=40 TOS= 0x08 PREC=0x40 TTL=64 ID=55885 DF PROTO=TCP SPT=16890 DPT=22 WINDOW=501 RES=0x00 ACK FIN URGP=0 UID=1000(setup) GID=1001(setup) MARK= 0x1
Outbound Login Activity.
The following example shows a message as it is seen on the system that receives the forwarded syslog messages.
Result from an SSH/SCP command:
2022-12-09T11:41:55.587734-05:00 HS gatewaynode.example.com HE [kern.info] MS - 0:0:0:0:0:0:0:1 NA: 2022-12-09T17:20:26.937571+00:00 ct- gateway-01 gateway_audit: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55e05d4f03a0 a1= 55e05d4adfe0 a2=55e05d4c7cf0 a3=8 items=2 ppid=3957593 pid=3958481 auid=1000(jdoe) uid=1000(jdoe) gid= 1001(jdoe) euid=1000(jdoe) suid= 1000(jdoe) fsuid=1000(jdoe) egid= 1001(jdoe) sgid=1001(jdoe) fsgid= 1001(jdoe) tty=pts0 ses=63296 comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:unconfined_r:unconfined _t:s0-s0:c0.c1023 key="gateway_audit"
Gateway User Login Activity.
The following examples show messages as they are seen on the system that receives the forwarded syslog messages.
Example of SSH/SCP being invoked to the Gateway:
2022-12-09T11:41:33.209326-05:00 HS gatewaynode.example.com HE [auth.notice] MS - 0:0:0:0:0:0:0:1 NA: 2022-12-09T17:20:04.735608+00:00 ct- gateway-01 session: SYSCALL arch=c000003e syscall=257 success=yes exit=14 a0=ffffff9c a1=7fbb9f57f160 a2= 80002 a3=0 items=1 ppid=1245718() pid= 3957381(jdoe[priv]) auid=1000(jdoe) uid= 0(root) gid=0(root) euid=0(root) suid=0 (root) fsuid=0(root) egid=0(root) sgid=0 (root) fsgid=0(root) tty=(none) ses=63296 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0- s0:c0.c1023 key="SESSION"
Result from an su command on the Gateway:
Aug 1 21:42:49 Aug-01 17: 42:49 GMT-04:00 0:0:0:0:0:0:0:1 NA: sample-host audispd: node=sample-host type=SYSCALL msg=audit(1437567906.700:17840209): arch=c000003e syscall=2 success=yes exit=3 a0=7f691418c518 a1=2 a2=7f691418c760 a3=fffffffffffffff0 items=1 ppid=22614 pid=25811 auid=54373 uid=54373 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts4 ses=90594 comm="su" exe="/bin/su" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="SESSION"