auid doesn't display user id while connected via ssh
Issue
- When a user login via ssh to the system and execute "sudo su -" then uid doesn't come in auid field under audit logs.
type=CRED_ACQ msg=audit(1322878406.113:62654963): user pid=20204 uid=0 auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/bin/sudo" (hostname=u060tsi41, addr=127.0.0.1, terminal=/dev/pts/2 res=success)'
type=USER_START msg=audit(1322878406.117:62654964): user pid=20204 uid=0 auid=4294967295 msg='PAM: session open acct="root" : exe="/usr/bin/sudo" (hostname=u060tsi41, addr=127.0.0.1, terminal=/dev/pts/2 res=success)'
type=USER_END msg=audit(1322878406.117:62654965): user pid=20204 uid=0 auid=4294967295 msg='PAM: session close acct="root" : exe="/usr/bin/sudo" (hostname=u060tsi41, addr=127.0.0.1, terminal=/dev/pts/2 res=success)'
type=USER_CMD msg=audit(1322878406.118:62654966): user pid=20204 uid=0 auid=4294967295 msg='cwd="/home/sh53837" cmd=2F62696E2F7375202D (terminal=pts/2 res=success)'
type=USER_AUTH msg=audit(1322878406.120:62654967): user pid=20204 uid=0 auid=4294967295 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_ACCT msg=audit(1322878406.121:62654968): user pid=20204 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_START msg=audit(1322878406.124:62654969): user pid=20204 uid=0 auid=4294967295 msg='PAM: session open acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=CRED_ACQ msg=audit(1322878406.124:62654970): user pid=20204 uid=0 auid=4294967295 msg='PAM: setcred acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)'
Environment
- Red hat Enterprise Linux 5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
