at, cron: wrong auid
Klaus Weidner
klaus at atsec.com
Tue Jul 19 16:49:33 UTC 2005
On Tue, Jul 19, 2005 at 11:16:47AM -0500, Debora Velarde wrote:
> We were asked to modify our 'at' and 'crontab' testcases so that the job
> being run contained a syscall. Then we needed to verify that the correct
> audit record was generated for that syscall. In doing so, I see that the
> audit record for the syscall executed by the job, contains "auid=0", rather
> than "auid=500" which is the user I initially logged in with.
>
> I asked Klaus if this behavior is valid. His reply, "The syscall audit
> record needs to have the auid of the user on whose
> behalf the job is executing, for example auid=500, *not* 0."
Just to clarify, the auid in the record isn't necessarily supposed to be
of the user you logged in as, it's supposed to be the ID of the user
creating the crontab entry. This is the same in normal use, but can be
different if you use "su" to change identity or submit jobs as root,
either one wouldn't be a good test case.
So if you use the "crontab" command as user "test" with uid 500 to submit
jobs, the syscalls generated by that job need to have auid 500. To avoid
confusion, you should create a fresh login session (ie via automated ssh)
for running the "crontab" command when submitting the job.
-Klaus
More information about the Linux-audit
mailing list