From: Steve Grubb <sgrubb@redhat.com>
To: burak4burak@msn.com
Cc: linux-audit@redhat.com
Subject: Re: auid=4294967295 issue
Date: Mon, 12 Jan 2015 09:54:35 -0500 [thread overview]
Message-ID: <5155274.vzsIUXDm7I@x2> (raw)
In-Reply-To: <54B39DF2.9020707@msn.com>
On Monday, January 12, 2015 12:12:02 PM Burak Gürer wrote:
> we have some linux servers and a central log collector system. we are
> sending audit logs to this log system. this log collector system can
> parse such logs but this system confused at lines with "auid=4294967295"
> in audit logs.
auid=4294967295 is the same as auid=-1 which means that its unset.
> i have tried everything but still this lines are coming:
>
> type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
> auid=4294967295 msg='PAM: accounting acct="root" :
> exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
> type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
> auid=4294967295 msg='PAM: setcred acct="root" :
> exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
>
> and
>
> [root@test /root]# cat /etc/pam.d/crond
> #
> # The PAM configuration file for the cron daemon
> #
> #
> session required pam_loginuid.so
> auth required pam_unix.so
> auth required pam_nologin.so
> account required pam_unix.so
> password required pam_unix.so
> session required pam_unix.so
>
> so is there any other hints or what can i do esle?
Your pam file looks different than what is shipped. You might want to try the
default config file for crond:
auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth
-Steve
next prev parent reply other threads:[~2015-01-12 14:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-06 18:54 Is audit=1 still required for RHEL 7? Erinn Looney-Triggs
2015-01-06 19:13 ` Steve Grubb
2015-01-06 19:16 ` Erinn Looney-Triggs
2015-01-08 10:12 ` Burak Gürer
2015-01-08 13:03 ` Steve Grubb
2015-01-08 13:33 ` Burak Gürer
2015-01-08 14:13 ` Steve Grubb
2015-01-12 10:12 ` auid=4294967295 issue Burak Gürer
2015-01-12 14:54 ` Steve Grubb [this message]
2015-01-08 16:39 ` Audit rotate David Flatley
2015-01-08 16:46 ` Steve Grubb
2015-01-08 17:17 ` David Flatley
2015-01-08 17:23 ` Steve Grubb
2015-01-08 17:47 ` David Flatley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5155274.vzsIUXDm7I@x2 \
--to=sgrubb@redhat.com \
--cc=burak4burak@msn.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox