Hi everyone!

first of all sorry for my bad english!

i could not accomplish to get rid of from auid=4294967295 issue

i have implemented that suggestions:

https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
https://people.redhat.com/sgrubb/audit/audit-faq.txt

but not succeed.
is there any other reasons or solutions?

by the way suggestions in the links, is it important to where we put the 
suggested confs:

e.g. which line to put "audit=1"
or which line to put "session required pam_loginuid.so"

and further are kernel or audit package versions important?

If anyone can help with this it will be very helpful.

Regards,

  On 06-01-2015 21:16, Erinn Looney-Triggs wrote:
> On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
>> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
>>> I have been digging around trying to find the answer to the above,
>>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it
>>> still for RHEL 7? Or has systemd done some magic to remove that need?
>> AFAIK, all linux kernels from all distributions have the same need. What
>> that flag does is enable the audit system. When the audit system is enabled
>> and every time there is a fork, the TIF_AUDIT flag is added to the process.
>> This make the process auditable.
>>
>> Without this flag, the process cannot be audited...ever. So, if systemd was
>> to do some magic (and it doesn't), then systemd itself would not be
>> auditable nor any process it creates until audit became enabled.
>>
>> -Steve
> Thanks Steve, I just wanted to check, I couldn't find anything explicitly
> mentioning this. I think I'll open a bug for the SCAP security guide about
> this.
>
> -Erinn
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit