From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Evans Subject: Confused about audit=1 in grub.conf Date: Thu, 28 Oct 2010 15:40:58 -0400 Message-ID: <4CC9D1CA.3050802@jhuapl.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1531204813555223907==" Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.12]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o9SJfG2Z032725 for ; Thu, 28 Oct 2010 15:41:16 -0400 Received: from jhuapl.edu (piper.jhuapl.edu [128.244.251.37]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o9SJf0GU004341 for ; Thu, 28 Oct 2010 15:41:01 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1531204813555223907== Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi,

I did some research and am confused about starting the audit daemon at boot time, so that you don't get auid's of 4294967295.

In RHEL 5.5, my grub.conf looks like this:

audit=1
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda4
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-194.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet
        initrd /initrd-2.6.18-194.el5.img

audit=1 is the first line, so why am I still getting the 4294967295 auid's?

Thanks

--===============1531204813555223907== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1531204813555223907==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Confused about audit=1 in grub.conf Date: Thu, 28 Oct 2010 16:22:20 -0400 Message-ID: <201010281622.20813.sgrubb@redhat.com> References: <4CC9D1CA.3050802@jhuapl.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4CC9D1CA.3050802@jhuapl.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Robert Evans List-Id: linux-audit@redhat.com On Thursday, October 28, 2010 03:40:58 pm Robert Evans wrote: > I did some research and am confused about starting the audit daemon at > boot time, so that you don't get auid's of 4294967295. > > In RHEL 5.5, my grub.conf looks like this: > > audit=1 > # grub.conf generated by anaconda > # > # Note that you do not have to rerun grub after making changes to this > file # NOTICE: You have a /boot partition. This means that > # all kernel and initrd paths are relative to /boot/, eg. > # root (hd0,0) > # kernel /vmlinuz-version ro root=/dev/sda4 > # initrd /initrd-version.img > #boot=/dev/sda > default=0 > timeout=5 > splashimage=(hd0,0)/grub/splash.xpm.gz > hiddenmenu > title Red Hat Enterprise Linux Server (2.6.18-194.el5) > root (hd0,0) > kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet You needed to add audit=1 to the kernel line ^^^ so that its passed to the kernel. > initrd /initrd-2.6.18-194.el5.img > > > audit=1 is the first line, so why am I still getting the 4294967295 > auid's? From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: Confused about audit=1 in grub.conf Date: Thu, 28 Oct 2010 20:21:42 -0400 Message-ID: <1288311702.3017.12.camel@localhost.localdomain> References: <4CC9D1CA.3050802@jhuapl.edu> <201010281622.20813.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <201010281622.20813.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, Robert Evans List-Id: linux-audit@redhat.com On Thu, 2010-10-28 at 16:22 -0400, Steve Grubb wrote: > On Thursday, October 28, 2010 03:40:58 pm Robert Evans wrote: > > I did some research and am confused about starting the audit daemon at > > boot time, so that you don't get auid's of 4294967295. > > > > In RHEL 5.5, my grub.conf looks like this: > > > > audit=1 > > # grub.conf generated by anaconda > > # > > # Note that you do not have to rerun grub after making changes to this > > file # NOTICE: You have a /boot partition. This means that > > # all kernel and initrd paths are relative to /boot/, eg. > > # root (hd0,0) > > # kernel /vmlinuz-version ro root=/dev/sda4 > > # initrd /initrd-version.img > > #boot=/dev/sda > > default=0 > > timeout=5 > > splashimage=(hd0,0)/grub/splash.xpm.gz > > hiddenmenu > > title Red Hat Enterprise Linux Server (2.6.18-194.el5) > > root (hd0,0) > > kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet > > You needed to add audit=1 to the kernel line ^^^ so that its passed to the > kernel. > > > > initrd /initrd-2.6.18-194.el5.img > > > > > > audit=1 is the first line, so why am I still getting the 4294967295 > > auid's? Steve's right, but the answer to your question is "because that has nothing to do with audit=1." auid's = -1 just mean that the process was not started by a logged in user. They were likely started by init. -Eric From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Confused about audit=1 in grub.conf Date: Fri, 29 Oct 2010 12:20:24 -0400 Message-ID: <201010291220.24597.sgrubb@redhat.com> References: <4CC9D1CA.3050802@jhuapl.edu> <201010281622.20813.sgrubb@redhat.com> <1288311702.3017.12.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1288311702.3017.12.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com, Robert Evans List-Id: linux-audit@redhat.com On Thursday, October 28, 2010 08:21:42 pm Eric Paris wrote: > On Thu, 2010-10-28 at 16:22 -0400, Steve Grubb wrote: > > You needed to add audit=1 to the kernel line ^^^ so that its passed to > > the kernel. > > Steve's right, but the answer to your question is "because that has > nothing to do with audit=1." auid's = -1 just mean that the process was > not started by a logged in user. They were likely started by init. That is true when you have audit=1 being passed to the kernel correctly. However, if you do not do that. You sometimes run into problems with gdm because of parallel booting. Its possible (even required an entry in the FAQ because it was happening that often - see #8) to get auid of -1 when logging in via gdm. So, if you have audit=1 and pam_loginuid is in the correct places and you still get auid=-1, that is because its a daemon or program running that is not associated with a user session. -Steve