Did something break in RHEL5 with auid?
Trevor Vaughan
peiriannydd at gmail.com
Sat Apr 17 22:26:22 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
In RHEL5.2 auditing worked fine for me auid was set to the user's uid
and id was set to whatever it happened to be at the time.
In RHEL5.4 auid got set to the 'anon' value.
In RHEL5.5 auid gets set to '0' but uid is logged in original su entries.
Any idea what happened?
This makes it very difficult to capture su events where the user used to
be something other than 0 without capturing a ton of other garbage as
well (unless someone has an elegant solution for that).
Thanks,
Trevor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkvKNYYACgkQSPJXuI7ODyuW/QCfbKUc8+e07JMSPSZ7N+JfwXYQ
jLoAoMTI4tCxz/MY6ZMbFxv3XoMYJzTE
=ojvM
-----END PGP SIGNATURE-----
More information about the Linux-audit
mailing list