aulast only displaying reboot pseudo-users
Laurent Bigonville
bigon at debian.org
Sat Jun 14 11:53:19 UTC 2014
Le Thu, 5 Jun 2014 19:34:04 +0200,
Laurent Bigonville <bigon at debian.org> a écrit :
> Le Wed, 04 Jun 2014 19:04:52 -0400,
> Steve Grubb <sgrubb at redhat.com> a écrit :
[...]
> > You are missing a type=LOGIN event right here. If you do a "cat
> > /proc/self/loginuid" and its set to something besides -1, we have a
> > kernel bug.
> >
>
>
> Actually, my grepping was wrong, I'm seeing this the following line
> too:
>
> type=LOGIN msg=audit(1401921359.597:1397): pid=15760 uid=0
> old-auid=4294967295 new-auid=1002 old-ses=4294967295 new-ses=66 res=1
Any idea here then?
Regarding "/proc/self/loginuid" it's always set to the uid of the user
here.
Looking at aulast code, I can see that there are differences for
kernels before or after 3.13. My machine is running 3.14, could this be
related?
Cheers,
Laurent Bigonville
More information about the Linux-audit
mailing list