2231556 – pam_faillock audit events duplicate uid

Bug 2231556 - pam_faillock audit events duplicate uid

Summary: pam_faillock audit events duplicate uid

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Iker Pedrosa
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-11 21:15 UTC by Steve Grubb
Modified:	2023-08-14 08:18 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-165689	0	None	None	None	2023-08-11 21:15:54 UTC
Red Hat Issue Tracker	SSSD-6627	0	None	None	None	2023-08-14 08:18:57 UTC

Description Steve Grubb 2023-08-11 21:15:14 UTC

Description of problem:
It was found that pam_faillock is making bad audit events. Seems to be this way a while. But recently found that it can mislead ausearch to associate the wrong name to uid. The fix is to change uid to suid. There is a patch here that upstream recently accepted:

https://github.com/linux-pam/linux-pam/pull/591

This should be applied as soon as possible, because once the event is created wrong, it's that way forever.

Note You need to log in before you can comment on or make changes to this bug.