From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amy Griffis Subject: Re: issue with file watches on Suse 10.1 using latest 2.6.18-rc4 and audit 1.2.3 Date: Thu, 10 Aug 2006 11:40:41 -0400 Message-ID: <20060810154041.GA12092@fc.hp.com> References: <200608091808.29687.rick@microway.com> <1155222269.15877.8.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k7AFevCL028115 for ; Thu, 10 Aug 2006 11:40:57 -0400 Received: from atlrel9.hp.com (atlrel9.hp.com [156.153.255.214]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k7AFeuKS008944 for ; Thu, 10 Aug 2006 11:40:57 -0400 Content-Disposition: inline In-Reply-To: <1155222269.15877.8.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Timothy R. Chavez" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Timothy R. Chavez wrote: [Thu Aug 10 2006, 11:04:29AM EDT] > On Wed, 2006-08-09 at 18:08 -0400, Rick Warner wrote: > > Hello all, > > > > I am trying to set up file watches for files such as /etc/passwd > > and /etc/shadow. I am using Suse 10.1. I have updated the kernel to a > > kernel.org 2.6.18-rc4 kernel, and have updated the audit userspace tools to > > version 1.2.3. I can add filesystem watches with "auditctl -w /etc/passwd" > > successfully now. Entries in the audit.log are created. > > > > The first problem is that when I use "aureport -w", it tells me " > interest were found>". Using "aureport -f" instead, it shows entries > > for /etc/passwd, but the auid column for all results is -1 (or "unset" if > > using the -i option to aureport). Looking at the audit logfile, > > auid=4294967295 which then correlates to -1 when used as a signed vs unsigned > > int. > > > > How can I fix this? > > > > Rick, > > I believe a special PAM package is used to capture the login uid (auid). > I'm guessing that's where your problem lies. pam_loginuid(8) has some helpful info.