From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve <m6x@ornl.gov>
Subject: Re: auid bug
Date: Mon, 24 Jul 2006 12:04:51 -0400
Message-ID: <44C4EFA3.7080706@ornl.gov>
References: <44BF8E4F.3000405@ornl.gov> <44BF9F0D.5010204@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6OG4vw1012243
	for <linux-audit@redhat.com>; Mon, 24 Jul 2006 12:04:57 -0400
Received: from emroute1.ornl.gov (emroute1.ornl.gov [160.91.4.119])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6OG4udT005036
	for <linux-audit@redhat.com>; Mon, 24 Jul 2006 12:04:56 -0400
Received: from emroute1.ornl.gov (localhost [127.0.0.1])
	by emroute1.ornl.gov (PMDF V6.2-1x9 #31038)
	with ESMTP id <0J2X0012E0O66Z@emroute1.ornl.gov> for
	linux-audit@redhat.com; Mon, 24 Jul 2006 12:04:55 -0400 (EDT)
In-reply-to: <44BF9F0D.5010204@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: linux-audit@redhat.com, Steve <mckinneysj@ornl.gov>
List-Id: linux-audit@redhat.com

> Are you sure you have pam_loginuid.so configured in the appropriate
> /etc/pam.d/* files, such as login and sshd?

I checked the login file and it matches yours, I am not using ssh on 
this machine.

> I'm running the .41 kernel and the audit-1.2.4 tools and
> the auid is correct in the audit records on my system.

Most of the time, mine is correct as well.  It seems to occur 
sporadically.  Usually, a reboot will fix the problem.

Steve


>> I am receiving audit events with an odd auid...  I am not sure if this
>> is something wrong in the kernel or in audit.  The auid I am receiving
>> is 4294967295 (the max value for an unsigned long).  The other uid/gid
>> information is normal.
>>
>> I have seen this on all audit versions since audit-1.2.3, and noticed it
>> using the following kernels:
>>
>> 2.6.17-1.2293.2.2_FC6.lspp.38.i686
>> 2.6.17-1.2293.2.2_FC6.lspp.44.i686
>>
>> The first time I noticed this was after the filter_key patch I applied
>> to audit-1.2.3, but it may have nothing to do with that patch.  I
>> mentioned it then:
>>
>> https://www.redhat.com/archives/linux-audit/2006-June/msg00086.html
>>
>> There is an example record from the audit dispatcher there.
>>
>> These events are coming straight from the real-time audit dispatcher.
>>
>> Steve