Environment
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Situation
Vigil audit event says that "Supervisor" deleted trustee assignments.
Resolution
User "Supervisor" is a special user within NSS. It is always present and cannot be disabled. User "Supervisor" is recorded as the UserDn when using console commands.
Example:
Setup a simple vlog environment. with the following command:
./volg -f CVS o-/tmp/vlog-delete-trustee.log
Using the "rights" command as user "root"add trustees and removed trustees..
rights -f /media/nss/VOL1/test -r rwfc trustee test02.novell.bmemmott5-tree
rights -f /media/nss/VOL1/test delete test02.novell.bmemmott5-tree
vlog stream when deleteing trustee:
vlogRecNo="5", vigilRecNo="5", Pid="19964", TimeStamp="2016-04-25 07:26:51.408599", Type="3 NSS", Event="256 TRUSTEE_REMOVE", TaskID="0", Zid="82", ParentZid="7F", OpRetCode="0", FileType="3 NAMED_DATA_STREAM", FileAttributes="0x40000010 { 4-SUBDIRECTORY 30-ATTR_ARCHIVE}", VolID="4033FB658202E6018000F6691ADB659C", VolDn="VOL1", UserID="03000000000000000000000000000000", UserDn="Supervisor", Uid="0", Uid_Name="root", Euid="0", Euid_Name="root", Suid="0", Suid_Name="root", Fsuid="0", Fsuid_Name="root", Gid="0", Gid_Name="root", Egid="0", Egid_Name="root", Sgid="0", Sgid_Name="root", Fsgid="0", Fsgid_Name="root", Comm="VirtKernelCall", target="[VOL1:/test]", TrusteeId="B9D59F740C7F784544B0B9D59F740C7F", TrusteeDn=".CN=test02.O=novell.T=BMEMMOTT5-TREE.", Rights="0x0000004B { 0-READ_CONTENTS 1-WRITE_CONTENTS 3-CREATE_ENTRY 6-SEE_FILES}", PurgedFileFlag="0 {FALSE}"
vlogRecNo="6", vigilRecNo="6", Pid="19963", TimeStamp="2016-04-25 07:26:51.408691", Type="3 NSS", Event="8 CLOSE", TaskID="0", Zid="30E", ParentZid="106", OpRetCode="0", FileType="4 NAMED_PIPE", FileAttributes="0xC00E0000 { 17-RENAME_INHIBIT 18-DELETE_INHIBIT 19-COPY_INHIBIT 30-ATTR_ARCHIVE 31-VOLATILE}", VolID="4A0F879A0506E6018000DD2738FBDF32", VolDn="_ADMIN", UserID="03000000000000000000000000000000", UserDn="Supervisor", Uid="0", Uid_Name="root", Euid="0", Euid_Name="root", Suid="0", Suid_Name="root", Fsuid="0", Fsuid_Name="root", Gid="0", Gid_Name="root", Egid="0", Egid_Name="root", Sgid="0", Sgid_Name="root", Fsgid="0", Fsgid_Name="root", Comm="rights", target="[_ADMIN:/Manage_NSS/files.cmd]", key="0xD536B8A3F6BD17EB", FhState="0x00000000 {}", FileDeleted="0 {FALSE}", Accessed="04/25/2016 07:26:51", Created="04/19/2016 02:06:22", Modified="04/19/2016 02:06:22", MetaDataModified="04/19/2016 02:06:22"
Note:
UserDn="Supervisor"
In the first event Comm="VirtKernelCall", in the second event Comm="rights", This is the rights command.
Also notice, that user root is also documented as the user.
Example:
Setup a simple vlog environment. with the following command:
./volg -f CVS o-/tmp/vlog-delete-trustee.log
Using the "rights" command as user "root"add trustees and removed trustees..
rights -f /media/nss/VOL1/test -r rwfc trustee test02.novell.bmemmott5-tree
rights -f /media/nss/VOL1/test delete test02.novell.bmemmott5-tree
vlog stream when deleteing trustee:
vlogRecNo="5", vigilRecNo="5", Pid="19964", TimeStamp="2016-04-25 07:26:51.408599", Type="3 NSS", Event="256 TRUSTEE_REMOVE", TaskID="0", Zid="82", ParentZid="7F", OpRetCode="0", FileType="3 NAMED_DATA_STREAM", FileAttributes="0x40000010 { 4-SUBDIRECTORY 30-ATTR_ARCHIVE}", VolID="4033FB658202E6018000F6691ADB659C", VolDn="VOL1", UserID="03000000000000000000000000000000", UserDn="Supervisor", Uid="0", Uid_Name="root", Euid="0", Euid_Name="root", Suid="0", Suid_Name="root", Fsuid="0", Fsuid_Name="root", Gid="0", Gid_Name="root", Egid="0", Egid_Name="root", Sgid="0", Sgid_Name="root", Fsgid="0", Fsgid_Name="root", Comm="VirtKernelCall", target="[VOL1:/test]", TrusteeId="B9D59F740C7F784544B0B9D59F740C7F", TrusteeDn=".CN=test02.O=novell.T=BMEMMOTT5-TREE.", Rights="0x0000004B { 0-READ_CONTENTS 1-WRITE_CONTENTS 3-CREATE_ENTRY 6-SEE_FILES}", PurgedFileFlag="0 {FALSE}"
vlogRecNo="6", vigilRecNo="6", Pid="19963", TimeStamp="2016-04-25 07:26:51.408691", Type="3 NSS", Event="8 CLOSE", TaskID="0", Zid="30E", ParentZid="106", OpRetCode="0", FileType="4 NAMED_PIPE", FileAttributes="0xC00E0000 { 17-RENAME_INHIBIT 18-DELETE_INHIBIT 19-COPY_INHIBIT 30-ATTR_ARCHIVE 31-VOLATILE}", VolID="4A0F879A0506E6018000DD2738FBDF32", VolDn="_ADMIN", UserID="03000000000000000000000000000000", UserDn="Supervisor", Uid="0", Uid_Name="root", Euid="0", Euid_Name="root", Suid="0", Suid_Name="root", Fsuid="0", Fsuid_Name="root", Gid="0", Gid_Name="root", Egid="0", Egid_Name="root", Sgid="0", Sgid_Name="root", Fsgid="0", Fsgid_Name="root", Comm="rights", target="[_ADMIN:/Manage_NSS/files.cmd]", key="0xD536B8A3F6BD17EB", FhState="0x00000000 {}", FileDeleted="0 {FALSE}", Accessed="04/25/2016 07:26:51", Created="04/19/2016 02:06:22", Modified="04/19/2016 02:06:22", MetaDataModified="04/19/2016 02:06:22"
Note:
UserDn="Supervisor"
In the first event Comm="VirtKernelCall", in the second event Comm="rights", This is the rights command.
Also notice, that user root is also documented as the user.
Cause
User "root" issued the "rights" command to to delete trustee assignments".
This is normal behavior for nss.
This is normal behavior for nss.