sudo false negative in audit trails

Greetings, I'm chasing down a false negative I'm getting in my ausearch output which makes it look like successful sudo access results in a failed CRED_ACQ record. Is anyone else seeing this? I'm going to list out my system specs, but please actually look at a sudo run in your system (if similar) before writing off my non-standard pieces: - RHEL4u4 (2.6.9.-42.0.2) - audit-1.0.15 - quest-sudo-1.6.8p12q76 - pam 0.77-66.17 Command: # ausearch -m CRED_ACQ |grep sudo |tail -1 type=CRED_ACQ msg=audit(1190207432.508:168552): user pid=13971 uid=0 auid=1110 msg='PAM setcred: user=root exe="/opt/quest/bin/sudo" (hostname=?, addr=?, terminal=pts/1 result=Permission denied)' They're all like that. Remember - the sudo actually granted me access as requested. /etc/pam.d/sudo looks like this, as generated by quest-sudo: auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir account [ignore=ignore success=done default=die] pam_vas3.so password [ignore=ignore success=done default=die] pam_vas3.so session [ignore=ignore success=done default=die] pam_vas3.so create_homedir For those unfamiliar with Quest's VAS (Vintella Authentication System), it's basically a commercialized, polished winbindd from Samba 3. They have open-sourced their changes to the base package (good citizens) as they are basically kerberizing some of the tools. Sudo was modified to support treating Active Directory roles as Unix groups (e.g. DOMAIN\Administrators can run shells, but no one else). I've reviewed the base sudo package source code and could find no changelog entries to the part that tells PAM whether or not success was made. I know that sudo has to tell PAM who tells auditd whether or not VAS authenticated the user. Sudo works just find though - it's only the auditing which is squirelly. Original sudo page that interacts with PAM: http://www.sudo.ws/cgi-bin/cvsweb/sudo/auth/pam.c?rev=1.43&content-type= text/x-cvsweb-markup&only_with_tag=SUDO_1_6_8p1 Quests modifications to the same file: http://rc.quest.com/viewvc/sudo/tags/sudo-1.6.8p12q76/auth/pam.c?revisio n=77&view=markup So, I'm not so sure it's in sudo, but perhaps some bug between PAM and sudo that I don't understand. Can anyone else replicate this? As for PAM, well, 0.77 is very old, but it's the newest that RedHat has integrated. RedHat has not posted any PAM changes related to sudo since my package above. At least RHEL5 is using 0.99. Thanks for your time, Charlie Todd Ball Aerospace & Technologies Corp. This message and any enclosures are intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not use, copy, disclose, or distribute this message or its contents or enclosures to any other person and any such actions may be unlawful. Ball reserves the right to monitor and review all messages and enclosures sent to or from this email address.