We have a CentOS 6.2 x86_64 system that's logging what looks to be erroneous audit information. We were receiving alerts for failed logins by a user who wasn't actually trying to log in. After some diagnosis, we figured out that the source of the events is our
tool that periodically checks to see if SSH is answering. When that happens, we see this log this entry:
type=USER_LOGIN msg=audit(1340312224.011:489216): user pid=28787 uid=0 auid=501 ses=8395 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207A01234567 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
This is the entry we get whenever there is an incomplete ssh connection, but usually the auid is the same as the ses= value. For some reason, on this system, it's using a particular user's auid, regardless of the login user. For example, ssh'ng to this system as
[email protected] and cancelling before providing a password generates this error. Attempting to log to an unrelated account with a bogus password will also create an entry with the incorrect auid value.