Bug 130436

Summary: sudo usage confuses laus logs
Product: Red Hat Enterprise Linux 3 Reporter: Hal Wine <hal>
Component: lausAssignee: Steve Grubb <sgrubb>
Status: CLOSED WONTFIX QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 19:19:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Output of: sudo strace -o sudo.strace sudo ls
none
Output of: sudo ltrace -o sudo.ltrace sudo ls none

Description Hal Wine 2004-08-20 15:30:24 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031008

Description of problem:
commands executed via sudo generate AUTH_failure messages in laus logs.

Besides providing useless data, AUTH_failure is tough to explain as a
"normal" and "expected" log value to auditors.





Version-Release number of selected component (if applicable):
laus-0.1-54RHEL3

How reproducible:
Always

Steps to Reproduce:
on a RHEL ES 3 update 2 everything install:
1. login as root
2. execute any sudo command, such as:
     sudo date
3. check the end of the audit log with
     aucat -v | tail
4. note a message similar to:
2004-08-19T21:44:35      7   2299       -1      0      0      0      0
     0      0      0      0  4294967295    [AUTH_failure] PAM
bad_ident: user=? (hostname=?, addr=?, terminal=pts/0)


Actual Results:  AUTH_failure messages in the logs

Expected Results:  Accurate information, as reported in
/var/log/secure for the same event:
Aug 19 21:44:35 es3-vmware sudo:     root : TTY=pts/0 ; PWD=/root ;
USER=root ; COMMAND=/bin/date

Additional info:

This was on a RHEL ES 3 update 2 everything install.

Related package versions include:
pam-0.75-54
sudo-1.6.7p5-1
Comment 1 Brad Smith 2005-01-12 22:39:40 UTC 
Created attachment 109701 [details]
Output of: sudo strace -o sudo.strace sudo ls

I have the same problem in RHEL3/Update 4. Since I use sudo for almost all
superuser commands, this is a nontrivial nuisance. If it helps track down the
problem, I've attached the output of an strace of "sudo ls", which generates
one of the problem logs.
Comment 2 Brad Smith 2005-01-12 22:40:56 UTC 
Created attachment 109702 [details]
Output of: sudo ltrace -o sudo.ltrace sudo ls

And here's an ltrace of the same. All the pam_* functions return zero, so maybe
it won't be helpful, but here it is just in case.
Comment 3 RHEL Program Management 2007-10-19 19:19:55 UTC 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.