why auid always unset?
Steve Grubb
sgrubb at redhat.com
Wed Jul 24 13:53:29 UTC 2013
On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote:
> I read my audit logs.I always see lots of auid values are 4294967295. Even
> when I delete a file, the value is still 4294967295?
In a normal system, there will be some events with 4294967295. These should be
daemons and system events. Anything caused by a user should have the auid set
to their uid. This is done by pam_loginuid.
> I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still
> the same value?
> I wonder what is wrong?
cat /proc/self/loginuid
If that shows the account you logged in with, its working. If not, then
something is wrong with pam or the kernel.
-Steve
More information about the Linux-audit
mailing list