why auid always unset?
zhu xiuming
xiumingzhu at gmail.com
Thu Jul 25 22:35:52 UTC 2013
Thanks.
I removed quiet from gruf.conf and I see from the output at boot.
I do see like
start audit [ok]
The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
However, I do see lots of events the auid is 0. I even see auid change
reflect in the event.
Like
type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
uid=root old auid=unset new auid=root
So, I am really confused.
On Wed, Jul 24, 2013 at 6:53 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote:
> > I read my audit logs.I always see lots of auid values are 4294967295.
> Even
> > when I delete a file, the value is still 4294967295?
>
> In a normal system, there will be some events with 4294967295. These
> should be
> daemons and system events. Anything caused by a user should have the auid
> set
> to their uid. This is done by pam_loginuid.
>
> > I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is
> still
> > the same value?
> > I wonder what is wrong?
>
> cat /proc/self/loginuid
>
> If that shows the account you logged in with, its working. If not, then
> something is wrong with pam or the kernel.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130725/d2b19a84/attachment.htm>
More information about the Linux-audit
mailing list