auid=4294967295 issue
Hi Steve,
thanks for your assistance,
For RHEL5, I know its enabled. But based on your questions above, you
are
asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these,
# cat /proc/cmdline
and
# cat /proc/self/loginuid
would let you check. In the first, make sure audit=1 is there and in the second
case, the output should be the uid under which you logged into the system.
-Steve
[root@test /root]# cat /proc/cmdline
ro root=LABEL=/ audit=1 rhgb quiet
[root@test /root]# cat /proc/self/loginuid
0
To narrow the circle;
we have some linux servers and a central log collector system. we are
sending audit logs to this log system. this log collector system can
parse such logs but this system confused at lines with "auid=4294967295"
in audit logs.
i have tried everything but still this lines are coming:
type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
auid=4294967295 msg='PAM: accounting acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
auid=4294967295 msg='PAM: setcred acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
and
[root@test /root]# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
session required pam_loginuid.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
so is there any other hints or what can i do esle?
Attachments:
- attachment.html (text/html — 2.2 KB)