From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Timothy R. Chavez" <tinytim@us.ibm.com>
Subject: Re: issue with file watches on Suse 10.1 using latest 2.6.18-rc4
	and audit 1.2.3
Date: Thu, 10 Aug 2006 10:04:29 -0500
Message-ID: <1155222269.15877.8.camel@localhost.localdomain>
References: <200608091808.29687.rick@microway.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k7AF5Ons015485
	for <linux-audit@redhat.com>; Thu, 10 Aug 2006 11:05:25 -0400
Received: from e36.co.us.ibm.com (e36.co.us.ibm.com [32.97.110.154])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k7AF5H7A024346
	for <linux-audit@redhat.com>; Thu, 10 Aug 2006 11:05:19 -0400
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com
	[9.17.195.11])
	by e36.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k7AF55VM008039
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <linux-audit@redhat.com>; Thu, 10 Aug 2006 11:05:06 -0400
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by westrelay02.boulder.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id
	k7AF4WWq305618
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Thu, 10 Aug 2006 09:04:32 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	k7AF4VgI014732
	for <linux-audit@redhat.com>; Thu, 10 Aug 2006 09:04:32 -0600
In-Reply-To: <200608091808.29687.rick@microway.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Rick Warner <rick@microway.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, 2006-08-09 at 18:08 -0400, Rick Warner wrote:
> Hello all,
> 
> I am trying to set up file watches for files such as /etc/passwd 
> and /etc/shadow.  I am using Suse 10.1.  I have updated the kernel to a 
> kernel.org 2.6.18-rc4 kernel, and have updated the audit userspace tools to 
> version 1.2.3.  I can add filesystem watches with "auditctl -w /etc/passwd" 
> successfully now.  Entries in the audit.log are created. 
> 
> The first problem is that when I use "aureport -w", it tells me "<no events of 
> interest were found>".  Using "aureport -f" instead, it shows entries 
> for /etc/passwd, but the auid column for all results is -1 (or "unset" if 
> using the -i option to aureport).  Looking at the audit logfile, 
> auid=4294967295 which then correlates to -1 when used as a signed vs unsigned 
> int.
> 
> How can I fix this?
> 

Rick,

I believe a special PAM package is used to capture the login uid (auid).
I'm guessing that's where your problem lies.

-tim