From mboxrd@z Thu Jan  1 00:00:00 1970
From: Rick Warner <rick@microway.com>
Subject: issue with file watches on Suse 10.1 using latest 2.6.18-rc4 and
	audit 1.2.3
Date: Wed, 9 Aug 2006 18:08:29 -0400
Message-ID: <200608091808.29687.rick@microway.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k79M8grJ022032
	for <linux-audit@redhat.com>; Wed, 9 Aug 2006 18:08:42 -0400
Received: from mail.microway.com
	(IDENT:OHmY8eRduf8ohNVyk0PRjeX02D0u+Vik@mail.microway.com
	[64.80.227.22])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k79M8fmD009395
	for <linux-audit@redhat.com>; Wed, 9 Aug 2006 18:08:41 -0400
Received: from abel.microway.com (warden.microway.com [64.80.227.66])
	by mail.microway.com (Postfix) with ESMTP id 1BA6E3C82A0
	for <linux-audit@redhat.com>; Wed,  9 Aug 2006 18:08:40 -0400 (EDT)
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello all,

I am trying to set up file watches for files such as /etc/passwd 
and /etc/shadow.  I am using Suse 10.1.  I have updated the kernel to a 
kernel.org 2.6.18-rc4 kernel, and have updated the audit userspace tools to 
version 1.2.3.  I can add filesystem watches with "auditctl -w /etc/passwd" 
successfully now.  Entries in the audit.log are created. 

The first problem is that when I use "aureport -w", it tells me "<no events of 
interest were found>".  Using "aureport -f" instead, it shows entries 
for /etc/passwd, but the auid column for all results is -1 (or "unset" if 
using the -i option to aureport).  Looking at the audit logfile, 
auid=4294967295 which then correlates to -1 when used as a signed vs unsigned 
int.

How can I fix this?

-- 
Richard Warner
Lead Systems Integrator
Microway, Inc
(508)732-5517