auid unset

Kirkwood, David A. DAVID.A.KIRKWOOD at saic.com
Thu Dec 6 19:42:30 UTC 2007


Thanks Klaus,

The ausearch -m DAEMON_START returns version 1.0.14 for auditd on both systems. I grepped for loginuid.so in the pam.d directory and it appears in all of the same pam entries on both systems. 
No luck yet, however I appreciate your help.

David A. Kirkwood


>> 
>> I need some help with configuration. First, I do not remember how to
>> tell the version of the auditd I am running. I tried to get it by
>> pulling strings with no success. 
>
>To identify the audit version you're running, you could use the package version+release or possibly >something like 
>$ audearch -m DAEMON_START 
>Look for the last message and for the 'ver=' field. 
> 
>> If someone can help me with what needs to be set, I would appreciate it.
>> I compared all of the obvious files, such as all pam files, the
>> audit.rules, auditd.conf and syslog.conf and they all seem to be the
>> same.
>
>Make sure you have 'session        required        pam_loginuid.so' entries in your pam configuration >(/etc/pam.d/{atd,crond,login,remote,sshd}) 
>
>restart system after that... 

>Klaus 

>-- 
>Klaus Heinrich Kiwi/Brazil/IBM <klausk at br.ibm.com>
>Software Engineer
>IBM STG, Linux Technology Center
>Phone:(+55-19) 2132-1909 [T/L 839-1909]




More information about the Linux-audit mailing list