[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auid bug



Are you sure you have pam_loginuid.so configured in the appropriate
/etc/pam.d/* files, such as login and sshd?

I'm running the .41 kernel and the audit-1.2.4 tools and
the auid is correct in the audit records on my system.

This is what my /etc/pam.d/login file looks like:
#%PAM-1.0
auth       required     pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open

-- ljk

Steve wrote:
> I am receiving audit events with an odd auid...  I am not sure if this
> is something wrong in the kernel or in audit.  The auid I am receiving
> is 4294967295 (the max value for an unsigned long).  The other uid/gid
> information is normal.
> 
> I have seen this on all audit versions since audit-1.2.3, and noticed it
> using the following kernels:
> 
> 2.6.17-1.2293.2.2_FC6.lspp.38.i686
> 2.6.17-1.2293.2.2_FC6.lspp.44.i686
> 
> The first time I noticed this was after the filter_key patch I applied
> to audit-1.2.3, but it may have nothing to do with that patch.  I
> mentioned it then:
> 
> https://www.redhat.com/archives/linux-audit/2006-June/msg00086.html
> 
> There is an example record from the audit dispatcher there.
> 
> These events are coming straight from the real-time audit dispatcher.
> 
> Steve
> 
> -- 
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]