res=failed entries in audit.log for regular user cronjobs

Solution Verified - Updated -

Issue

  • A cron job executed correctly leads to an failed audit entry:
[root@rhel9 ~]# adduser -u 1000 test
[root@rhel9 ~]# su - test
[test@rhel9 ~]$ cat > /tmp/atable
00,05,10,15,20,25,30,35,40,45,50,55 * * * * date > /tmp/test.out
[test@rhel9 ~]$ crontab < /tmp/atable
[test@rhel9 ~]$ crontab -l
00,05,10,15,20,25,30,35,40,45,50,55 * * * * date > /tmp/test.out
[test@rhel9 ~]$ exit
logout
[root@rhel9 ~]# cat /tmp/test.out
Fri Jul 15 17:00:01 CEST 2022
[root@rhel9 ~]# tail -10 /var/log/audit/audit.log | grep mb-mig-test
type=SYSCALL msg=audit(1757897201.323:118): arch=c000003e syscall=1 success=yes exit=4 a0=7 a1=7fff428d46d0 a2=4 a3=3e8 items=0 ppid=1 pid=3869 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=write AUID="mb-mig-test" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=USER_START msg=audit(1657897201.325:119): pid=3869 uid=0 auid=1000 ses=4 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="mb-mig-test" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="mb-mig-test"
type=USER_START msg=audit(1757897201.415:121): pid=3866 uid=0 auid=1000 ses=3 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="mb-mig-test" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'UID="root" AUID="mb-mig-test"
type=CRED_REFR msg=audit(1657897201.416:122): pid=3866 uid=0 auid=1000 ses=3 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="test" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'UID="root" AUID="test"
type=CRED_DISP msg=audit(1657897201.424:123): pid=3866 uid=0 auid=1000 ses=3 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="test" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'UID="root" AUID="test"
type=USER_END msg=audit(1657897201.425:124): pid=3866 uid=0 auid=1000 ses=3 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="test" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'UID="root" AUID="test"
[root@el9man ~]# tail -20 /var/log/audit/audit.log | grep test | grep fail
type=CRED_ACQ msg=audit(1657897201.322:116): pid=3869 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct="test" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
[root@rhel9 ~]#
  • In RHEL9, we also have an CRED error in audit:
type=CRED_ACQ msg=audit(07/18/22 14:34:01.335:375) : pid=4429 uid=root auid=unset ses=unset subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=test exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' 
type=CRED_ACQ msg=audit(07/18/22 14:34:01.478:379) : pid=4432 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=? acct=test exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=failed'  

Environment

  • RHEL 8,9
  • cronie
  • pam

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content