Confused about audit=1 in grub.conf

Confused about audit=1 in grub.conf

[Robert Evans]

[-- Attachment #1: Type: text/html, Size: 1543 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Confused about audit=1 in grub.conf

[Steve Grubb]

On Thursday, October 28, 2010 03:40:58 pm Robert Evans wrote:
>  I did some research and am confused about starting the audit daemon at
> boot time, so that you don't get auid's of 4294967295.
> 
>  In RHEL 5.5, my grub.conf looks like this:
> 
> audit=1
>  # grub.conf generated by anaconda
>  #
>  # Note that you do not have to rerun grub after making changes to this
> file # NOTICE:  You have a /boot partition.  This means that
>  #          all kernel and initrd paths are relative to /boot/, eg.
>  #          root (hd0,0)
>  #          kernel /vmlinuz-version ro root=/dev/sda4
>  #          initrd /initrd-version.img
>  #boot=/dev/sda
>  default=0
>  timeout=5
>  splashimage=(hd0,0)/grub/splash.xpm.gz
>  hiddenmenu
>  title Red Hat Enterprise Linux Server (2.6.18-194.el5)
>          root (hd0,0)
>          kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet

You needed to add audit=1 to the kernel line ^^^ so that its passed to the 
kernel.


>         initrd /initrd-2.6.18-194.el5.img
> 
> 
>  audit=1 is the first line, so why am I still getting the 4294967295
> auid's?

Re: Confused about audit=1 in grub.conf

[Eric Paris]

On Thu, 2010-10-28 at 16:22 -0400, Steve Grubb wrote:
> On Thursday, October 28, 2010 03:40:58 pm Robert Evans wrote:
> >  I did some research and am confused about starting the audit daemon at
> > boot time, so that you don't get auid's of 4294967295.
> > 
> >  In RHEL 5.5, my grub.conf looks like this:
> > 
> > audit=1
> >  # grub.conf generated by anaconda
> >  #
> >  # Note that you do not have to rerun grub after making changes to this
> > file # NOTICE:  You have a /boot partition.  This means that
> >  #          all kernel and initrd paths are relative to /boot/, eg.
> >  #          root (hd0,0)
> >  #          kernel /vmlinuz-version ro root=/dev/sda4
> >  #          initrd /initrd-version.img
> >  #boot=/dev/sda
> >  default=0
> >  timeout=5
> >  splashimage=(hd0,0)/grub/splash.xpm.gz
> >  hiddenmenu
> >  title Red Hat Enterprise Linux Server (2.6.18-194.el5)
> >          root (hd0,0)
> >          kernel /vmlinuz-2.6.18-194.el5 ro root=LABEL=/ rhgb quiet
> 
> You needed to add audit=1 to the kernel line ^^^ so that its passed to the 
> kernel.
> 
> 
> >         initrd /initrd-2.6.18-194.el5.img
> > 
> > 
> >  audit=1 is the first line, so why am I still getting the 4294967295
> > auid's?

Steve's right, but the answer to your question is "because that has
nothing to do with audit=1."  auid's = -1 just mean that the process was
not started by a logged in user.  They were likely started by init.

-Eric

Re: Confused about audit=1 in grub.conf

[Steve Grubb]

On Thursday, October 28, 2010 08:21:42 pm Eric Paris wrote:
> On Thu, 2010-10-28 at 16:22 -0400, Steve Grubb wrote:
> > You needed to add audit=1 to the kernel line ^^^ so that its passed to
> > the kernel.
> 
> Steve's right, but the answer to your question is "because that has
> nothing to do with audit=1."  auid's = -1 just mean that the process was
> not started by a logged in user.  They were likely started by init.

That is true when you have audit=1 being passed to the kernel correctly. 
However, if you do not do that. You sometimes run into problems with gdm 
because of parallel booting. Its possible (even required an entry in the FAQ 
because it was happening that often - see #8) to get auid of -1 when logging 
in via gdm.

So, if you have audit=1 and pam_loginuid is in the correct places and you 
still get auid=-1, that is because its a daemon or program running that is not 
associated with a user session.

-Steve