From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: RedHat 6 Testing
Date: Fri, 25 Mar 2011 12:15:17 -0400
Message-ID: <201103251215.18175.sgrubb@redhat.com>
References: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, March 25, 2011 10:55:43 am Boyce, Kevin P (AS) wrote:
> I have a script in cron.weekly that has a command being executed which I am
> auditing for execve.  That part seems to work fine. However, in the
> detailed audit report my user id is associated with the execution.  Root
> owns the files there and ultimately root is the effective UID in the
> record, but why am I associated with the activity at all?

What did pam record for the user_start?
ausearch --start today -x crond -m user_start

This should show which account the script will run under. The cron daemon should set 
the loginuid to it. That would cause all actions done by the script to be attributed 
to that user.

Also, have you restarted the cron daemon? Maybe in inheritted your account. You can 
check by this:

cat /proc/`ps -C crond -o pid= | tr -d ' '`/loginuid

-Steve