Thanks.
I removed quiet from gruf.conf and I see from the output at boot.
I do see like
start audit [ok]

The problem is, cat /proc/self/loginuid is still 4294967295 if I login.

However, I do see lots of events the auid is 0.  I even see auid change reflect in the event.
Like

type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952 uid=root old auid=unset new auid=root

So, I am really confused.

 




On Wed, Jul 24, 2013 at 6:53 AM, Steve Grubb <sgrubb@redhat.com> wrote:
On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote:
> I read my audit logs.I always see lots of auid values are 4294967295. Even
> when I delete a file, the value is still 4294967295?

In a normal system, there will be some events with 4294967295. These should be
daemons and system events. Anything caused by a user should have the auid set
to their uid. This is done by pam_loginuid.

> I added pam_loginuid to  gdm, login, kdm, sshd, vsftpd. Howver, it is still
> the same value?
> I wonder what is wrong?

cat /proc/self/loginuid

If that shows the account you logged in with, its working. If not, then
something is wrong with pam or the kernel.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit