Bug#560281: auditd dont log auid as Original ID or Login ID

[iliz-z]

Package: auditd
Version: 1.7.4-1

Debian lenny 5.0.3
Kernel version: original debian linux kernel 2.6.26-2-686

auditd dont log auid as Original ID (Login ID, Real ID). In auditd package of 
Debian lenny it is impossible to distinguish when I run a command as non-priv 
user with root priv over su or when I run a command as real root user.
For example, I have the next rule in audit.rules file:
-a entry,always -S execve

I login as non-priv user 'test' and run 'su -' command
After that, I run some command (for example, ls -al) and in the audit log file 
I see the next:
type=SYSCALL msg=audit(1260366944.809:211667): arch=40000003 syscall=11 
success=yes exit=0 a0=85b9988 a1=86f0688 a2=859c408 a3=0 items=2 ppid=5250 
pid=9684 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts5 ses=4294967295 comm="ls" exe="/bin/ls" key=(null)
type=EXECVE msg=audit(1260366944.809:211667): argc=3 a0="ls" a1="--color=auto" 
a2="-al"
type=CWD msg=audit(1260366944.809:211667):  cwd="/usr"
type=PATH msg=audit(1260366944.809:211667): item=0 name="/bin/ls" inode=64975 
dev=68:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1260366944.809:211667): item=1 name=(null) inode=107688 
dev=68:02 mode=0100755 ouid=0 ogid=0 rdev=00:00

In the next time I run 'ls -al' command as real root (non across su). Herewith 
in the audit log I see the same:
type=SYSCALL msg=audit(1260366991.920:211668): arch=40000003 syscall=11 
success=yes exit=0 a0=93880e8 a1=9388fc8 a2=9329408 a3=0 items=2 ppid=2398 
pid=9685 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts1 ses=4294967295 comm="ls" exe="/bin/ls" key=(null)
type=EXECVE msg=audit(1260366991.920:211668): argc=3 a0="ls" a1="--color=auto" 
a2="-al"
type=CWD msg=audit(1260366991.920:211668):  cwd="/var/cache/apt/archives"
type=PATH msg=audit(1260366991.920:211668): item=0 name="/bin/ls" inode=64975 
dev=68:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1260366991.920:211668): item=1 name=(null) inode=107688 
dev=68:02 mode=0100755 ouid=0 ogid=0 rdev=00:00

The value of auid parameter dont vary. In RHEL 5.4 auid equals real uid of  
test user (for example, auid = loginID = 500) even when I'm in 'su -' mode.

-- 
Best regards, iliz.





-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org