Re: auid=4294967295 issue
On Monday, January 12, 2015 12:12:02 PM Burak Gürer wrote:
we have some linux servers and a central log collector system. we
are
sending audit logs to this log system. this log collector system can
parse such logs but this system confused at lines with "auid=4294967295"
in audit logs.
auid=4294967295 is the same as auid=-1 which means that its unset.
i have tried everything but still this lines are coming:
type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
auid=4294967295 msg='PAM: accounting acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
auid=4294967295 msg='PAM: setcred acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
and
[root@test /root]# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
session required pam_loginuid.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
so is there any other hints or what can i do esle?
Your pam file looks different than what is shipped. You might want to try the
default config file for crond:
auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth
-Steve