Re: auid bug
Are you sure you have pam_loginuid.so configured in the appropriate
/etc/pam.d/* files, such as login and sshd?
I'm running the .41 kernel and the audit-1.2.4 tools and
the auid is correct in the audit records on my system.
This is what my /etc/pam.d/login file looks like:
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
-- ljk
Steve wrote:
I am receiving audit events with an odd auid... I am not sure if
this
is something wrong in the kernel or in audit. The auid I am receiving
is 4294967295 (the max value for an unsigned long). The other uid/gid
information is normal.
I have seen this on all audit versions since audit-1.2.3, and noticed it
using the following kernels:
2.6.17-1.2293.2.2_FC6.lspp.38.i686
2.6.17-1.2293.2.2_FC6.lspp.44.i686
The first time I noticed this was after the filter_key patch I applied
to audit-1.2.3, but it may have nothing to do with that patch. I
mentioned it then:
https://www.redhat.com/archives/linux-audit/2006-June/msg00086.html
There is an example record from the audit dispatcher there.
These events are coming straight from the real-time audit dispatcher.
Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit