Audit record interpretation
Hi experts,
Below are the first two audit records for sid="22625":
<record version="2" event="login - telnet" iso8601="2011-07-13 07:33:48.702 -04:00"><subject audit-uid="ertwa" uid="ertwa" gid="develop" ruid="sbezwa" rgi ="develop" pid="22625" sid="22625" tid="24 24 devsvr406"/><text>successful login</text><return errval="success" retval="0"/></record>
<record version="2" event="fcntl(2)" iso8601="2011-07-13 07:33:48.712 -04:00"><argument arg-num="2" value="0xe" desc="cmd"/><path>/var/yp/binding/dev.tor.scm.com/cache_binding</path><attribute mode="100444" uid="root" gid="root" fsid="228" nodeid="366126" device="0"/><subject audit-uid="ertwa" uid="root" gid="develop" ruid="root" rgid="develop" pid="22626" sid="22625" tid="24 24 devsvr406"/><return errval="success" retval="0"/></record>
Could anyone tell me how user ertwa's uid and ruid become root in the second record without a su record in between, therefore change the attribute(s) of file /var/yp/binding/dev.tor.scm.com/cache_binding? also what attribute(s) of the file did he change exactly(mode or owership)?
Below are the first two audit records for sid="22625":
<record version="2" event="login - telnet" iso8601="2011-07-13 07:33:48.702 -04:00"><subject audit-uid="ertwa" uid="ertwa" gid="develop" ruid="sbezwa" rgi ="develop" pid="22625" sid="22625" tid="24 24 devsvr406"/><text>successful login</text><return errval="success" retval="0"/></record>
<record version="2" event="fcntl(2)" iso8601="2011-07-13 07:33:48.712 -04:00"><argument arg-num="2" value="0xe" desc="cmd"/><path>/var/yp/binding/dev.tor.scm.com/cache_binding</path><attribute mode="100444" uid="root" gid="root" fsid="228" nodeid="366126" device="0"/><subject audit-uid="ertwa" uid="root" gid="develop" ruid="root" rgid="develop" pid="22626" sid="22625" tid="24 24 devsvr406"/><return errval="success" retval="0"/></record>
Could anyone tell me how user ertwa's uid and ruid become root in the second record without a su record in between, therefore change the attribute(s) of file /var/yp/binding/dev.tor.scm.com/cache_binding? also what attribute(s) of the file did he change exactly(mode or owership)?
0