auid=4294967295 issue
Burak Gürer
burak4burak at msn.com
Mon Jan 12 10:12:02 UTC 2015
Hi Steve,
thanks for your assistance,
> For RHEL5, I know its enabled. But based on your questions above, you are
> asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these,
>
> # cat /proc/cmdline
>
> and
>
> # cat /proc/self/loginuid
>
> would let you check. In the first, make sure audit=1 is there and in the second
> case, the output should be the uid under which you logged into the system.
>
> -Steve
[root at test /root]# cat /proc/cmdline
ro root=LABEL=/ audit=1 rhgb quiet
[root at test /root]# cat /proc/self/loginuid
0
To narrow the circle;
we have some linux servers and a central log collector system. we are
sending audit logs to this log system. this log collector system can
parse such logs but this system confused at lines with "auid=4294967295"
in audit logs.
i have tried everything but still this lines are coming:
type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
auid=4294967295 msg='PAM: accounting acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
auid=4294967295 msg='PAM: setcred acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
and
[root at test /root]# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
session required pam_loginuid.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
so is there any other hints or what can i do esle?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150112/cd23090b/attachment.htm>
More information about the Linux-audit
mailing list