Did something break in RHEL5 with auid?
Eric Paris
eparis at redhat.com
Sun Apr 18 22:32:20 UTC 2010
On Sat, 2010-04-17 at 18:26 -0400, Trevor Vaughan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> In RHEL5.2 auditing worked fine for me auid was set to the user's uid
> and id was set to whatever it happened to be at the time.
>
> In RHEL5.4 auid got set to the 'anon' value.
>
> In RHEL5.5 auid gets set to '0' but uid is logged in original su entries.
>
> Any idea what happened?
>
> This makes it very difficult to capture su events where the user used to
> be something other than 0 without capturing a ton of other garbage as
> well (unless someone has an elegant solution for that).
I haven't touched that code in RHEL 5 in quite some time (since we added
ses= back about 5.3 or so I think)
If you don't mind, could you open a bz at bugzilla.redhat.com against
the kernel with exact steps to reproduce? Otherwise I'm likely to
forget to look at this when I get into the office tomorrow.
-Eric
More information about the Linux-audit
mailing list