From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: Did something break in RHEL5 with auid?
Date: Sun, 18 Apr 2010 18:32:20 -0400
Message-ID: <1271629940.25420.14.camel@dhcp235-240.rdu.redhat.com>
References: <4BCA358E.1060902@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4BCA358E.1060902@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Trevor Vaughan <peiriannydd@gmail.com>
Cc: linux-audit <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Sat, 2010-04-17 at 18:26 -0400, Trevor Vaughan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all,
> 
> In RHEL5.2 auditing worked fine for me auid was set to the user's uid
> and id was set to whatever it happened to be at the time.
> 
> In RHEL5.4 auid got set to the 'anon' value.
> 
> In RHEL5.5 auid gets set to '0' but uid is logged in original su entries.
> 
> Any idea what happened?
> 
> This makes it very difficult to capture su events where the user used to
> be something other than 0 without capturing a ton of other garbage as
> well (unless someone has an elegant solution for that).

I haven't touched that code in RHEL 5 in quite some time (since we added
ses= back about 5.3 or so I think)

If you don't mind, could you open a bz at bugzilla.redhat.com against
the kernel with exact steps to reproduce?  Otherwise I'm likely to
forget to look at this when I get into the office tomorrow.

-Eric