Bug 130436 - sudo usage confuses laus logs
Summary: sudo usage confuses laus logs
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus
Version: 3.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-20 15:30 UTC by Hal Wine
Modified: 2015-01-08 00:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-19 19:19:55 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Output of: sudo strace -o sudo.strace sudo ls (97.26 KB, text/plain)
2005-01-12 22:39 UTC, Brad Smith
no flags Details
Output of: sudo ltrace -o sudo.ltrace sudo ls (286.90 KB, text/plain)
2005-01-12 22:40 UTC, Brad Smith
no flags Details

Description Hal Wine 2004-08-20 15:30:24 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031008

Description of problem:
commands executed via sudo generate AUTH_failure messages in laus logs.

Besides providing useless data, AUTH_failure is tough to explain as a
"normal" and "expected" log value to auditors.





Version-Release number of selected component (if applicable):
laus-0.1-54RHEL3

How reproducible:
Always

Steps to Reproduce:
on a RHEL ES 3 update 2 everything install:
1. login as root
2. execute any sudo command, such as:
     sudo date
3. check the end of the audit log with
     aucat -v | tail
4. note a message similar to:
2004-08-19T21:44:35      7   2299       -1      0      0      0      0
     0      0      0      0  4294967295    [AUTH_failure] PAM
bad_ident: user=? (hostname=?, addr=?, terminal=pts/0)


Actual Results:  AUTH_failure messages in the logs

Expected Results:  Accurate information, as reported in
/var/log/secure for the same event:
Aug 19 21:44:35 es3-vmware sudo:     root : TTY=pts/0 ; PWD=/root ;
USER=root ; COMMAND=/bin/date

Additional info:

This was on a RHEL ES 3 update 2 everything install.

Related package versions include:
pam-0.75-54
sudo-1.6.7p5-1

Comment 1 Brad Smith 2005-01-12 22:39:40 UTC
Created attachment 109701 [details]
Output of: sudo strace -o sudo.strace sudo ls

I have the same problem in RHEL3/Update 4. Since I use sudo for almost all
superuser commands, this is a nontrivial nuisance. If it helps track down the
problem, I've attached the output of an strace of "sudo ls", which generates
one of the problem logs.

Comment 2 Brad Smith 2005-01-12 22:40:56 UTC
Created attachment 109702 [details]
Output of: sudo ltrace -o sudo.ltrace sudo ls

And here's an ltrace of the same. All the pam_* functions return zero, so maybe
it won't be helpful, but here it is just in case.

Comment 3 RHEL Program Management 2007-10-19 19:19:55 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.


Note You need to log in before you can comment on or make changes to this bug.