Bug 230401

Summary: gdm create spurious audit entries
Product: [Fedora] Fedora Reporter: Tomas Mraz <tmraz>
Component: gdmAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-06 19:17:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Mraz 2007-02-28 19:09:50 UTC 
I cloned the RHEL4 bug report as it seems that this one somehow stayed unfixed 
in Fedora and RHEL5. There was an errata for RHEL4 with this.

+++ This bug was initially created as a clone of Bug #161230 +++

Description of problem:
Testing has shown that there is a spurious audit message being generated by gdm:

type=USER_ERR msg=audit(06/21/05 09:44:32.699:783952) : user pid=2155 uid=root 
auid=unknown(4294967295) msg='PAM bad_ident: user=? exe="/usr/bin/gdm-binary"
(hostname=?, addr=?, terminal=? result=User not known to the underlying
authentication module)'

This causes the audit system to log what could be interpretted as "suspicious"
events.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. install audit package
2. reboot into run level 5
3. ausearch -i -x gdm
  

Actual Results:  Among other things you will find a USER_ERR message with no
PAM_USER.

Additional info:

-- Additional comment from tmraz on 2005-06-21 12:53 EST --
Created an attachment (id=115763)
Proposed patch

This patch simply disables the checking call to pam which is not necessary when
gdm is part of the distribution and not manually installed from sources by
user.
Comment 1 Ray Strode [halfline] 2007-03-06 19:17:15 UTC 
This should be built into rawhide now.

Is there a RHEL5 bug somewhere too?
Comment 2 Tomas Mraz 2007-03-19 11:19:46 UTC 
Probably not. I'll clone this one.