[redhat-lspp] USER_LOGIN record no longer has acct field
Steve Grubb
sgrubb at redhat.com
Wed Sep 20 16:14:01 UTC 2006
On Wednesday 20 September 2006 11:40, Loulwa Salem wrote:
> Regarding the sample record below, is there a reason we got rid of the
> acct= field and now have two uid fields.
This is a "new" record type that wasn't part of CAPP. Its aim was to help
clarify that a login occurred vs new session to aid NISPOM. So, acct was
never in this message.
The first uid field is what the kernel sees. In this case sshd is running as
root, so that is correctly reported.
> I know the second uid field that is part of the message is referring to the
> uid of the user that logged in, but I think having the acct= (telling us the
> user name) was more useful...
Inside the msg is the information logged by sshd regarding who, what, when,
where, and result. Uid is given because they have successfully identified
themselves to the system and its shorter. Going from uid to acct name is easy
and you never know when people change their name string causing lookup
errors.
In the case where we log a message pre-authentication, you get acct since it
did not correlate to a uid.
> Also having two fields named the same within the same record is confusing
> for parsing.
Yeah, not sure if we really want to do anything here.
> type=USER_LOGIN msg=audit(1158765381.613:26419): user pid=25321 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c255 msg='uid=500:
> exe="/usr/sbin/sshd" (hostname=mysystem.ibm.com, addr=2.0.0.0,
> terminal=/dev/pts/3 res=success)'
-Steve
More information about the redhat-lspp
mailing list