First Last Prev Next    This bug is not in your last search results.
Bug 130436 - sudo usage confuses laus logs
sudo usage confuses laus logs
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus (Show other bugs)
3.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-20 11:30 EDT by Hal Wine
Modified: 2015-01-07 19:08 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 15:19:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Output of: sudo strace -o sudo.strace sudo ls (97.26 KB, text/plain)
2005-01-12 17:39 EST, Brad Smith 		no flags Details
Output of: sudo ltrace -o sudo.ltrace sudo ls (286.90 KB, text/plain)
2005-01-12 17:40 EST, Brad Smith 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Hal Wine 2004-08-20 11:30:24 EDT 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031008

Description of problem:
commands executed via sudo generate AUTH_failure messages in laus logs.

Besides providing useless data, AUTH_failure is tough to explain as a
"normal" and "expected" log value to auditors.





Version-Release number of selected component (if applicable):
laus-0.1-54RHEL3

How reproducible:
Always

Steps to Reproduce:
on a RHEL ES 3 update 2 everything install:
1. login as root
2. execute any sudo command, such as:
     sudo date
3. check the end of the audit log with
     aucat -v | tail
4. note a message similar to:
2004-08-19T21:44:35      7   2299       -1      0      0      0      0
     0      0      0      0  4294967295    [AUTH_failure] PAM
bad_ident: user=? (hostname=?, addr=?, terminal=pts/0)


Actual Results:  AUTH_failure messages in the logs

Expected Results:  Accurate information, as reported in
/var/log/secure for the same event:
Aug 19 21:44:35 es3-vmware sudo:     root : TTY=pts/0 ; PWD=/root ;
USER=root ; COMMAND=/bin/date

Additional info:

This was on a RHEL ES 3 update 2 everything install.

Related package versions include:
pam-0.75-54
sudo-1.6.7p5-1
Comment 1 Brad Smith 2005-01-12 17:39:40 EST 
Created attachment 109701 [details]
Output of: sudo strace -o sudo.strace sudo ls

I have the same problem in RHEL3/Update 4. Since I use sudo for almost all
superuser commands, this is a nontrivial nuisance. If it helps track down the
problem, I've attached the output of an strace of "sudo ls", which generates
one of the problem logs.
Comment 2 Brad Smith 2005-01-12 17:40:56 EST 
Created attachment 109702 [details]
Output of: sudo ltrace -o sudo.ltrace sudo ls

And here's an ltrace of the same. All the pam_* functions return zero, so maybe
it won't be helpful, but here it is just in case.
Comment 3 RHEL Product and Program Management 2007-10-19 15:19:55 EDT 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.