From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Need help,
	we are receiving type=SYSCALL with auid=unset event entries
Date: Tue, 03 Jun 2014 21:56:34 -0400
Message-ID: <1525320.RtkigMWjPM@x2>
References: <OF8AB1B758.42F95C22-ON87257CEC.00705B03-07257CEC.00707DDF@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <OF8AB1B758.42F95C22-ON87257CEC.00705B03-07257CEC.00707DDF@us.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, June 03, 2014 01:28:40 PM Briane Lin wrote:
> We are unable to properly monitor an event with AUID=unset, does anyone 
> know why we are currently seeing these and what is the resolution?

If you have an unset auid and its supposed to be meaningful, then the way that 
people are logging in does not set the auid. This can be done in entrypoint 
software by calling audit_setloginuid(). Pam has coding examples.

-Steve