UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Fleet Admiral
Fleet Admiral
146 views

Incorrect SourceUserName when use Solaris global zone.

I collect event from Oracle Solaris local zone through syslog, setup has been performed on the document SmartConnector for Oracle Solaris Basic Security Module Syslog.

I have situation, when user(UID=5005) from global zone, login in to local zone and use command su:

<record version="2" event="su" host="db*" iso8601="2015-07-24 13:29:37.000 +03:00"><subject audit-uid="5005" uid="root" gid="root" ruid="root" rgid="root" pid="26104" sid="745664537" tid="12602 196630 10.*"/><text>success for user root</text><return errval="success" retval="0"/></record>

But user with UID 5005 local zone does not match user with UID 5005 on global zone. In arcsight i have incorrect information about SourceUserName: in event i see user 5005, which run "su" on host db* (local zone). In reality, this is another user - 5005 from global host.

Colleague, anyone who has been faced with a similar problem?

Labels (1)
0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.