On Sat, 2010-04-17 at 18:26 -0400, Trevor Vaughan wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello all, > > In RHEL5.2 auditing worked fine for me auid was set to the user's uid > and id was set to whatever it happened to be at the time. > > In RHEL5.4 auid got set to the 'anon' value. > > In RHEL5.5 auid gets set to '0' but uid is logged in original su entries. > > Any idea what happened? > > This makes it very difficult to capture su events where the user used to > be something other than 0 without capturing a ton of other garbage as > well (unless someone has an elegant solution for that).
I haven't touched that code in RHEL 5 in quite some time (since we added ses= back about 5.3 or so I think) If you don't mind, could you open a bz at bugzilla.redhat.com against the kernel with exact steps to reproduce? Otherwise I'm likely to forget to look at this when I get into the office tomorrow. -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
