From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit config for NISPOM req's Date: Fri, 12 Jan 2007 14:49:32 -0500 Message-ID: <200701121449.32200.sgrubb@redhat.com> References: <200612221033.23644.sgrubb@redhat.com> <200701121138.31139.sgrubb@redhat.com> <954E3479CC27224785179CA04904214D04A04318@0668-its-exmp01.us.saic.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <954E3479CC27224785179CA04904214D04A04318@0668-its-exmp01.us.saic.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Kirkwood, David A." Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 12 January 2007 13:45, Kirkwood, David A. wrote: > Then when I execute aureport -w --failed, the auid field shows up as -1 > as it does for every watch list. Am I missing something? Yes. #cd /etc/pam.d #grep loginuid * See if you have that in your pam stack. You should see something like this: atd:session required pam_loginuid.so crond:session required pam_loginuid.so gdm:session required pam_loginuid.so gdm-autologin:session required pam_loginuid.so kcheckpass:session required pam_loginuid.so kdm:session required pam_loginuid.so kdm-np:session required pam_loginuid.so kscreensaver:session required pam_loginuid.so login:session required pam_loginuid.so remote:session required pam_loginuid.so sshd:session required pam_loginuid.so vsftpd:session required pam_loginuid.so xdm:session required pam_loginuid.so -Steve