From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: auid bug
Date: Thu, 20 Jul 2006 11:19:41 -0400
Message-ID: <44BF9F0D.5010204@hp.com>
References: <44BF8E4F.3000405@ornl.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6KFLZeh021013
	for <linux-audit@redhat.com>; Thu, 20 Jul 2006 11:21:35 -0400
Received: from atlrel7.hp.com (atlrel7.hp.com [156.153.255.213])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k6KFLTQc006865
	for <linux-audit@redhat.com>; Thu, 20 Jul 2006 11:21:30 -0400
In-Reply-To: <44BF8E4F.3000405@ornl.gov>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve <m6x@ornl.gov>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Are you sure you have pam_loginuid.so configured in the appropriate
/etc/pam.d/* files, such as login and sshd?

I'm running the .41 kernel and the audit-1.2.4 tools and
the auid is correct in the audit records on my system.

This is what my /etc/pam.d/login file looks like:
#%PAM-1.0
auth       required     pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open

-- ljk

Steve wrote:
> I am receiving audit events with an odd auid...  I am not sure if this
> is something wrong in the kernel or in audit.  The auid I am receiving
> is 4294967295 (the max value for an unsigned long).  The other uid/gid
> information is normal.
> 
> I have seen this on all audit versions since audit-1.2.3, and noticed it
> using the following kernels:
> 
> 2.6.17-1.2293.2.2_FC6.lspp.38.i686
> 2.6.17-1.2293.2.2_FC6.lspp.44.i686
> 
> The first time I noticed this was after the filter_key patch I applied
> to audit-1.2.3, but it may have nothing to do with that patch.  I
> mentioned it then:
> 
> https://www.redhat.com/archives/linux-audit/2006-June/msg00086.html
> 
> There is an example record from the audit dispatcher there.
> 
> These events are coming straight from the real-time audit dispatcher.
> 
> Steve
> 
> -- 
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit