From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031008 Description of problem: commands executed via sudo generate AUTH_failure messages in laus logs. Besides providing useless data, AUTH_failure is tough to explain as a "normal" and "expected" log value to auditors. Version-Release number of selected component (if applicable): laus-0.1-54RHEL3 How reproducible: Always Steps to Reproduce: on a RHEL ES 3 update 2 everything install: 1. login as root 2. execute any sudo command, such as: sudo date 3. check the end of the audit log with aucat -v | tail 4. note a message similar to: 2004-08-19T21:44:35 7 2299 -1 0 0 0 0 0 0 0 0 4294967295 [AUTH_failure] PAM bad_ident: user=? (hostname=?, addr=?, terminal=pts/0) Actual Results: AUTH_failure messages in the logs Expected Results: Accurate information, as reported in /var/log/secure for the same event: Aug 19 21:44:35 es3-vmware sudo: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/bin/date Additional info: This was on a RHEL ES 3 update 2 everything install. Related package versions include: pam-0.75-54 sudo-1.6.7p5-1
Created attachment 109701 [details] Output of: sudo strace -o sudo.strace sudo ls I have the same problem in RHEL3/Update 4. Since I use sudo for almost all superuser commands, this is a nontrivial nuisance. If it helps track down the problem, I've attached the output of an strace of "sudo ls", which generates one of the problem logs.
Created attachment 109702 [details] Output of: sudo ltrace -o sudo.ltrace sudo ls And here's an ltrace of the same. All the pam_* functions return zero, so maybe it won't be helpful, but here it is just in case.
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.