From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auid=4294967295 issue
Date: Mon, 12 Jan 2015 09:54:35 -0500
Message-ID: <5155274.vzsIUXDm7I@x2>
References: <1676603.MYLvDDvdka@scrapy.abaqis.com> <2247361.QvknK8CF0u@x2>
	<54B39DF2.9020707@msn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <54B39DF2.9020707@msn.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: burak4burak@msn.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, January 12, 2015 12:12:02 PM Burak G=FCrer wrote:
> we have some linux servers and a central log collector system. we are
> sending audit logs to this log system. this log collector system can
> parse such logs but this system confused at lines with "auid=3D4294967295"
> in audit logs.

auid=3D4294967295 is the same as auid=3D-1 which means that its unset.


> i have tried everything but still this lines are coming:
> =

>     type=3DUSER_ACCT msg=3Daudit(1420656001.965:2804): user pid=3D6083 ui=
d=3D0
>     auid=3D4294967295 msg=3D'PAM: accounting acct=3D"root" :
>     exe=3D"/usr/sbin/crond" (hostname=3D?, addr=3D?, terminal=3Dcron res=
=3Dsuccess)'
>     type=3DCRED_ACQ msg=3Daudit(1420656001.966:2805): user pid=3D6083 uid=
=3D0
>     auid=3D4294967295 msg=3D'PAM: setcred acct=3D"root" :
>     exe=3D"/usr/sbin/crond" (hostname=3D?, addr=3D?, terminal=3Dcron res=
=3Dsuccess)'
> =

> and
> =

>     [root@test /root]# cat /etc/pam.d/crond
>     #
>     # The PAM configuration file for the cron daemon
>     #
>     #
>     session    required     pam_loginuid.so
>     auth       required     pam_unix.so
>     auth       required     pam_nologin.so
>     account    required     pam_unix.so
>     password   required     pam_unix.so
>     session    required     pam_unix.so
> =

> so is there any other hints or what can i do esle?

Your pam file looks different than what is shipped. You might want to try t=
he =

default config file for crond:

auth	   sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

-Steve