New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
auid
always unset in event outputs, not showing the actual login user Id
#2076
Comments
auid
always set to 4294967295
in event outputs, not the actual login user Id
According to here https://www.reddit.com/r/redhat/s/OyQGjPd4PF, that means the |
yes indeed, usually you initialize the Now why this thing is unset should be indeed investigated to understand, thanks for the report! |
If it is 4294967295, then that's what the kernel returns, and we just print it, if there was a bug in Tetragon then we may return garbage data and not specific value that indicates loginuid (auid) is not set. Some reading first: https://linux.die.net/man/8/pam_loginuid . The loginuid is to track user sessions, and it is set from user space, so you should check your workload, how did you spawn this session and see why the loginduid is not set? Then the fix is have in the software that spawned this session in the first place is either to use pam_loginuid or Hope this helps |
auid
always set to 4294967295
in event outputs, not the actual login user Idauid
always unset in event outputs, not showing the actual login user Id
Hey @tixxdz, thanks for sharing! Quick question, does the |
Yes it works, when running Tetragon in k8s, docker or standalone just login into the machine through ssh or normal login then inspect the tetragon events. Or to simply test it as root inside the session with the CAP_AUDIT_CONTROL capability enabled # echo -n "99999" > /proc/self/loginuid
# id
uid=0(root) gid=0(root) groups=0(root) Will produce: {
"process_exec": {
"process": {
"exec_id": "OjgyMTAxNDUyNzQzNTozMTQ0NQ==",
"pid": 31445,
"uid": 0,
"cwd": "/root",
"binary": "/usr/bin/id",
"flags": "execve clone",
"start_time": "2024-02-14T07:15:32.466738422Z",
"auid": 99999,
|
What happened?
It's interesting that after I found the issue, I did a search
4294967295
in this repo, I found many results in the event outputs. Looks like I don't even need to provide more proofs. JK 馃槃Back to the issue, auid should be supposed to my login/real user Id. Somehow it's always
4294967295
.uid
is my current user Id, as I switched to root, this is correct.auid
should be my user's Id, so I know the action is actually done by who.uid=1002(ycao) gid=1003(ycao) groups=1003(ycao)
Tetragon Version
Latest
Kernel Version
6.1.72-96.166.amzn2023.x86_64, on Amazon Linux 2023 hosts
Kubernetes Version
No response
Bugtool
No response
Relevant log output
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: