On Tue, Jul 19, 2005 at 11:16:47AM -0500, Debora Velarde wrote:
 We were asked to modify our 'at' and 'crontab'
testcases so that the job
 being run contained a syscall.  Then we needed to verify that the correct
 audit record was generated for that syscall.  In doing so, I see that the
 audit record for the syscall executed by the job, contains "auid=0", rather
 than "auid=500" which is the user I initially logged in with.
 
 I asked Klaus if this behavior is valid.  His reply, "The syscall audit
 record needs to have the auid of the user on whose
 behalf the job is executing, for example auid=500, *not* 0." 
Just to clarify, the auid in the record isn't necessarily supposed to be
of the user you logged in as, it's supposed to be the ID of the user
creating the crontab entry. This is the same in normal use, but can be
different if you use "su" to change identity or submit jobs as root,
either one wouldn't be a good test case.
So if you use the "crontab" command as user "test" with uid 500 to
submit
jobs, the syscalls generated by that job need to have auid 500. To avoid
confusion, you should create a fresh login session (ie via automated ssh)
for running the "crontab" command when submitting the job.
-Klaus