hi i plan to put auditd on several hundred servers to control. I saw this bug, but i can't confirmed it on debian jessie or stretch, and i was thinking it didn't exist anymore i discover the same case and behavior on ubuntu 18.40.
So now i'm in doubt :) Jessie, 8.11 version libpam-modules:amd64 1.1.8-3.1+deb8u2+b1 debconf 1.5.56+deb8u1 libaudit1:amd64 1:2.4-1+b1 libc6:amd64 2.19-18+deb8u10 libdb5.3:amd64 5.3.28-9+deb8u1 libpam-modules-bin 1.1.8-3.1+deb8u2+b1 libpam0g:amd64 1.1.8-3.1+deb8u2+b1 libselinux1:amd64 2.3-2 Stretch, 9.6 version libpam-modules:amd64 1.1.8-3.6 debconf 1.5.61 libaudit1:amd64 1:2.6.7-2 libc6:amd64 2.24-11+deb9u3 libdb5.3:amd64 5.3.28-12+deb9u1 libpam-modules-bin 1.1.8-3.6 libpam0g:amd64 1.1.8-3.6 libselinux1:amd64 2.6-3+b3 No problems: Jessie: Jan 21 14:38:17 su[10664]: Successful su for root by marc Jan 21 14:38:17 su[10664]: + /dev/pts/1 marc:root Jan 21 14:38:17 su[10664]: pam_unix(su:session): session opened for user root by marc(uid=1003) Jan 21 14:38:17 su[10664]: pam_tty_audit(su:session): changed status from 0 to 1 stretch: Jan 21 14:41:13 su[11588]: Successful su for root by marc Jan 21 14:41:13 su[11588]: + /dev/pts/2 marc:root Jan 21 14:41:13 su[11588]: pam_unix(su:session): session opened for user root by marc(uid=1001) Jan 21 14:41:13 su[11588]: pam_systemd(su:session): Cannot create session: Already running in a session Jan 21 14:41:13 su[11588]: pam_tty_audit(su:session): changed status from 0 to 1 but ubuntu: Jan 21 14:32:17 sshd[10975]: pam_tty_audit(sshd:session): error setting current audit status: Invalid argument Jan 21 14:32:18 sshd[10975]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session So what environement or package create the bug ? i don't want to have hundred of servers i can't no longer connect on it. Best regards thanks

