[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Did something break in RHEL5 with auid?



On Sat, 2010-04-17 at 18:26 -0400, Trevor Vaughan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all,
> 
> In RHEL5.2 auditing worked fine for me auid was set to the user's uid
> and id was set to whatever it happened to be at the time.
> 
> In RHEL5.4 auid got set to the 'anon' value.
> 
> In RHEL5.5 auid gets set to '0' but uid is logged in original su entries.
> 
> Any idea what happened?
> 
> This makes it very difficult to capture su events where the user used to
> be something other than 0 without capturing a ton of other garbage as
> well (unless someone has an elegant solution for that).

I haven't touched that code in RHEL 5 in quite some time (since we added
ses= back about 5.3 or so I think)

If you don't mind, could you open a bz at bugzilla.redhat.com against
the kernel with exact steps to reproduce?  Otherwise I'm likely to
forget to look at this when I get into the office tomorrow.

-Eric


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]