[redhat-lspp] USER_LOGIN record no longer has acct field

[Steve Grubb]

On Wednesday 20 September 2006 11:40, Loulwa Salem wrote:
> Regarding the sample record below, is there a reason we got rid of the
> acct= field and now have two uid fields.

This is a "new" record type that wasn't part of CAPP. Its aim was to help 
clarify that a login occurred vs new session to aid NISPOM. So, acct was 
never in this message.

The first uid field is what the kernel sees. In this case sshd is running as 
root, so that is correctly reported.

> I know the second uid field that is part of the message is referring to the
> uid of the user that logged in, but I think having the acct= (telling us the
> user name) was more useful... 

Inside the msg is the information logged by sshd regarding who, what, when, 
where, and result. Uid is given because they have successfully identified 
themselves to the system and its shorter. Going from uid to acct name is easy 
and you never know when people change their name string causing lookup 
errors.

In the case where we log a message pre-authentication, you get acct since it 
did not correlate to a uid.

> Also having two fields named the same within the same record is confusing
> for parsing.

Yeah, not sure if we really want to do anything here.

> type=USER_LOGIN msg=audit(1158765381.613:26419): user pid=25321 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c255 msg='uid=500:
> exe="/usr/sbin/sshd" (hostname=mysystem.ibm.com, addr=2.0.0.0,
> terminal=/dev/pts/3 res=success)'

-Steve