why auid always unset?
zhu xiuming
xiumingzhu at gmail.com
Fri Jul 26 21:20:04 UTC 2013
HI,
Finally, I found it out the order of pam_loginuid was wrong. It should be
the first part of session required modules.
Now, it works
Thanks a lot
On Thu, Jul 25, 2013 at 4:58 PM, zhu xiuming <xiumingzhu at gmail.com> wrote:
> So, what should be the right settings for pam_loginuid? Is there any
> documentation ?
>
> thanks a lot
>
>
> On Thu, Jul 25, 2013 at 4:54 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>
>> On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote:
>> > The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
>> >
>> > However, I do see lots of events the auid is 0. I even see auid change
>> > reflect in the event.
>> > Like
>> >
>> > type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
>> > uid=root old auid=unset new auid=root
>>
>> This would be a root login. Which should be forbidden since root is a
>> shared
>> account amongst admins.
>>
>>
>> > So, I am really confused.
>>
>> Something is wrong in your pam setup. You might check the compile flags
>> or if
>> pam_loginuid is in the right section. But that is undoubtedly the problem.
>>
>> -Steve
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130726/574b16c3/attachment.htm>
More information about the Linux-audit
mailing list