Red Hat Bugzilla – Bug 208838
Not logging newrole errors as USER_ROLE_CHANGE
Last modified: 2007-11-30 17:07:34 EST
As a test user:
$ newrole -r system_r
newrole: incorrect password for root
type=USER_AUTH msg=audit(1159034947.964:259): user pid=13388 uid=500 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c255 msg='PAM: authentication acct=root
: exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/1 res=failed)'
This should be USER_ROLE_CHANGE, rather than USER_AUTH
I don't agree, since you are failing on the login versus failing on the changing
of the role.
Steve what do you think?
All use of authentication mechanism must be audited. The event above is
correctly attributing a failed use of that facility. This does not preclude
another event being generated by newrole that says USER_ROLE_CHANGE failed. As a
matter of fact, I think Mike was working on a patch that does just this.
Created attachment 138894 [details]
patch fixing problems described herein
This patch adds an audit message when the password is incorrect. Please Apply.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release. Product Management has requested further review
of this request by Red Hat Engineering. This request is not yet committed for
inclusion in release.
Fixed in policycoreutils-1.32-1
With policycoreutils-1.33.1-7.el5 I'm not seeing a change:
type=USER_AUTH msg=audit(1164217171.511:362): user pid=4619 uid=0 auid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication
acct=root : exe="/usr/bin/newrole" (hostname=?, addr=?, terminal=pts/0 res=failed)'
type=USER_ACCT msg=audit(1164217201.031:363): user pid=4622 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
accounting acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
Fixed in policycoreutils-1.33.5-1
A package has been built which should help the problem described in
this bug report. This report is therefore being closed with a resolution
of CURRENTRELEASE. You may reopen this bug report if the solution does
not work for you.