From mboxrd@z Thu Jan  1 00:00:00 1970
From: Trevor Vaughan <peiriannydd@gmail.com>
Subject: Did something break in RHEL5 with auid?
Date: Sat, 17 Apr 2010 18:26:22 -0400
Message-ID: <4BCA358E.1060902@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.10])
	by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o3HMQcDH014545
	for <linux-audit@redhat.com>; Sat, 17 Apr 2010 18:26:38 -0400
Received: from mail-vw0-f46.google.com (mail-vw0-f46.google.com
	[209.85.212.46])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o3HMQPdR023772
	for <Linux-audit@redhat.com>; Sat, 17 Apr 2010 18:26:25 -0400
Received: by vws5 with SMTP id 5so1436353vws.33
	for <Linux-audit@redhat.com>; Sat, 17 Apr 2010 15:26:24 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

In RHEL5.2 auditing worked fine for me auid was set to the user's uid
and id was set to whatever it happened to be at the time.

In RHEL5.4 auid got set to the 'anon' value.

In RHEL5.5 auid gets set to '0' but uid is logged in original su entries.

Any idea what happened?

This makes it very difficult to capture su events where the user used to
be something other than 0 without capturing a ton of other garbage as
well (unless someone has an elegant solution for that).

Thanks,

Trevor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkvKNYYACgkQSPJXuI7ODyuW/QCfbKUc8+e07JMSPSZ7N+JfwXYQ
jLoAoMTI4tCxz/MY6ZMbFxv3XoMYJzTE
=ojvM
-----END PGP SIGNATURE-----