auid bug
Linda Knippers
linda.knippers at hp.com
Thu Jul 20 15:19:41 UTC 2006
Are you sure you have pam_loginuid.so configured in the appropriate
/etc/pam.d/* files, such as login and sshd?
I'm running the .41 kernel and the audit-1.2.4 tools and
the auid is correct in the audit records on my system.
This is what my /etc/pam.d/login file looks like:
#%PAM-1.0
auth required pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
-- ljk
Steve wrote:
> I am receiving audit events with an odd auid... I am not sure if this
> is something wrong in the kernel or in audit. The auid I am receiving
> is 4294967295 (the max value for an unsigned long). The other uid/gid
> information is normal.
>
> I have seen this on all audit versions since audit-1.2.3, and noticed it
> using the following kernels:
>
> 2.6.17-1.2293.2.2_FC6.lspp.38.i686
> 2.6.17-1.2293.2.2_FC6.lspp.44.i686
>
> The first time I noticed this was after the filter_key patch I applied
> to audit-1.2.3, but it may have nothing to do with that patch. I
> mentioned it then:
>
> https://www.redhat.com/archives/linux-audit/2006-June/msg00086.html
>
> There is an example record from the audit dispatcher there.
>
> These events are coming straight from the real-time audit dispatcher.
>
> Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list