I'm running kernel.35 with the audit 0.8 package and I see these problems.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -p 0 returns records that do not have a pid of 0.
----
time->Fri May 13 15:06:59 2005
type=CONFIG_CHANGE msg=audit(1116014819.245:0): audit_enabled=1 old=1 by
auid 4294967295
----
time->Fri May 13 15:06:59 2005
type=CONFIG_CHANGE msg=audit(1116014819.457:0): audit_backlog_limit=256
old=256 by auid 4294967295
----
time->Fri May 13 15:07:11 2005
type=CONFIG_CHANGE msg=audit(1116014831.958:0): auid 4294967295 added an
audit rule
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -ul 0 returns records that do not have a login uid of 0.
type=DAEMON_START msg=audit(1116014676.856:314) auditd start, ver=0.8,
format=raw, uid=0 auditd pid=7489
type=CONFIG_CHANGE msg=audit(1116014677.059:0): audit_enabled=1 old=1 by
auid 0
type=CONFIG_CHANGE msg=audit(1116014677.271:0): audit_backlog_limit=256
old=256 by auid 0
type=CONFIG_CHANGE msg=audit(1116014679.581:0): auid 0 added an audit rule
type=DAEMON_END msg=audit(1116014685.651:315) auditd normal halt,
sending pid=7503 uid=0 auditd pid=7489
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -ua xxx does not find records with a uid or effective uid of xxx.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -x /bin/chmod does not find records containing the executable name.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ausearch -ul 4294967295 returns records that do not match the login uid.
type=DAEMON_START msg=audit(1116014693.044:454) auditd start, ver=0.8,
format=raw, uid=0 auditd pid=7640
type=CONFIG_CHANGE msg=audit(1116014693.256:0): auid 0 removed an audit rule
type=CONFIG_CHANGE msg=audit(1116014693.249:0): audit_enabled=1 old=1 by
auid 0
type=CONFIG_CHANGE msg=audit(1116014693.664:0): audit_backlog_limit=256
old=256 by auid 0
type=LOGIN msg=audit(1116014701.630:0): login pid=7653 uid=0 old
loginuid=4294967295 new loginuid=503
type=USER msg=audit(1116014701.834:0): user pid=7653 uid=0 length=132
loginuid=503 msg='PAM session open: user=ausrch_u exe=/usr/sbin/sshd
(hostname=localhost.localdomain, addr=127.0.0.1, terminal=ssh
result=Success)'
type=DAEMON_END msg=audit(1116014715.222:455) auditd normal halt,
sending pid=7684 uid=0 auditd pid=7640
--
Thanks,
Dan Jones
IBM Linux Technology Center, Security
512-838-1794 (T/L 678-1794)
hotrats(a)us.ibm.com