Did something break in RHEL5 with auid?

Did something break in RHEL5 with auid?

[Trevor Vaughan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

In RHEL5.2 auditing worked fine for me auid was set to the user's uid
and id was set to whatever it happened to be at the time.

In RHEL5.4 auid got set to the 'anon' value.

In RHEL5.5 auid gets set to '0' but uid is logged in original su entries.

Any idea what happened?

This makes it very difficult to capture su events where the user used to
be something other than 0 without capturing a ton of other garbage as
well (unless someone has an elegant solution for that).

Thanks,

Trevor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvKNYYACgkQSPJXuI7ODyuW/QCfbKUc8+e07JMSPSZ7N+JfwXYQ
jLoAoMTI4tCxz/MY6ZMbFxv3XoMYJzTE
=ojvM
-----END PGP SIGNATURE-----

Re: Did something break in RHEL5 with auid?

[Eric Paris]

On Sat, 2010-04-17 at 18:26 -0400, Trevor Vaughan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all,
> 
> In RHEL5.2 auditing worked fine for me auid was set to the user's uid
> and id was set to whatever it happened to be at the time.
> 
> In RHEL5.4 auid got set to the 'anon' value.
> 
> In RHEL5.5 auid gets set to '0' but uid is logged in original su entries.
> 
> Any idea what happened?
> 
> This makes it very difficult to capture su events where the user used to
> be something other than 0 without capturing a ton of other garbage as
> well (unless someone has an elegant solution for that).

I haven't touched that code in RHEL 5 in quite some time (since we added
ses= back about 5.3 or so I think)

If you don't mind, could you open a bz at bugzilla.redhat.com against
the kernel with exact steps to reproduce?  Otherwise I'm likely to
forget to look at this when I get into the office tomorrow.

-Eric