On Wednesday 20 September 2006 11:40, Loulwa Salem wrote: > Regarding the sample record below, is there a reason we got rid of the > acct= field and now have two uid fields.
This is a "new" record type that wasn't part of CAPP. Its aim was to help clarify that a login occurred vs new session to aid NISPOM. So, acct was never in this message. The first uid field is what the kernel sees. In this case sshd is running as root, so that is correctly reported. > I know the second uid field that is part of the message is referring to the > uid of the user that logged in, but I think having the acct= (telling us the > user name) was more useful... Inside the msg is the information logged by sshd regarding who, what, when, where, and result. Uid is given because they have successfully identified themselves to the system and its shorter. Going from uid to acct name is easy and you never know when people change their name string causing lookup errors. In the case where we log a message pre-authentication, you get acct since it did not correlate to a uid. > Also having two fields named the same within the same record is confusing > for parsing. Yeah, not sure if we really want to do anything here. > type=USER_LOGIN msg=audit(1158765381.613:26419): user pid=25321 uid=0 > auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c255 msg='uid=500: > exe="/usr/sbin/sshd" (hostname=mysystem.ibm.com, addr=2.0.0.0, > terminal=/dev/pts/3 res=success)' -Steve -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
