Re: issue with file watches on Suse 10.1 using latest 2.6.18-rc4 and audit 1.2.3

On Wed, 2006-08-09 at 18:08 -0400, Rick Warner wrote: > Hello all, > > I am trying to set up file watches for files such as /etc/passwd > and /etc/shadow. I am using Suse 10.1. I have updated the kernel to a > kernel.org 2.6.18-rc4 kernel, and have updated the audit userspace tools to > version 1.2.3. I can add filesystem watches with "auditctl -w /etc/passwd" > successfully now. Entries in the audit.log are created. > > The first problem is that when I use "aureport -w", it tells me "<no events of > interest were found>". Using "aureport -f" instead, it shows entries > for /etc/passwd, but the auid column for all results is -1 (or "unset" if > using the -i option to aureport). Looking at the audit logfile, > auid=4294967295 which then correlates to -1 when used as a signed vs unsigned > int. > > How can I fix this? > Rick, I believe a special PAM package is used to capture the login uid (auid). I'm guessing that's where your problem lies.