From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?windows-1252?Q?Burak_G=FCrer?= <burak4burak@msn.com>
Subject: auid=4294967295 issue
Date: Mon, 12 Jan 2015 12:12:02 +0200
Message-ID: <54B39DF2.9020707@msn.com>
References: <1676603.MYLvDDvdka@scrapy.abaqis.com> <1463074.0R9kLf2U71@x2>
	<54AE8714.1000904@msn.com> <2247361.QvknK8CF0u@x2>
Reply-To: burak4burak@msn.com
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2543087715242905961=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2247361.QvknK8CF0u@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.
--===============2543087715242905961==
Content-Type: multipart/alternative;
	boundary="------------000305060104020400010507"

This is a multi-part message in MIME format.
--------------000305060104020400010507
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

Hi Steve,

thanks for your assistance,

> For RHEL5, I know its enabled. But based on your questions above, you are
> asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these,
>
> # cat /proc/cmdline
>
> and
>
> # cat /proc/self/loginuid
>
> would let you check. In the first, make sure audit=1 is there and in the second
> case, the output should be the uid under which you logged into the system.
>
> -Steve

    [root@test /root]# cat /proc/cmdline
    ro root=LABEL=/ audit=1 rhgb quiet

    [root@test /root]# cat /proc/self/loginuid
    0


To narrow the circle;

we have some linux servers and a central log collector system. we are 
sending audit logs to this log system. this log collector system can 
parse such logs but this system confused at lines with "auid=4294967295" 
in audit logs.

i have tried everything but still this lines are coming:

    type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
    auid=4294967295 msg='PAM: accounting acct="root" :
    exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
    type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
    auid=4294967295 msg='PAM: setcred acct="root" :
    exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

and

    [root@test /root]# cat /etc/pam.d/crond
    #
    # The PAM configuration file for the cron daemon
    #
    #
    session    required     pam_loginuid.so
    auth       required     pam_unix.so
    auth       required     pam_nologin.so
    account    required     pam_unix.so
    password   required     pam_unix.so
    session    required     pam_unix.so

so is there any other hints or what can i do esle?

--------------000305060104020400010507
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by mx3-phx2.redhat.com id t0CABkRx018248

<html>
  <head>
    <meta content=3D"text/html; charset=3Dwindows-1252"
      http-equiv=3D"Content-Type">
  </head>
  <body text=3D"#000066" bgcolor=3D"#FFFFCC">
    Hi Steve,<br>
    <br>
    thanks for your assistance,<br>
    <br>
    <blockquote cite=3D"mid:2247361.QvknK8CF0u@x2" type=3D"cite">
      <pre wrap=3D"">
For RHEL5, I know its enabled. But based on your questions above, you are=
=20
asking 2 things. Where to put audit=3D1 and if pam_loginuid is right. For=
 these,=20

# cat /proc/cmdline

and

# cat /proc/self/loginuid

would let you check. In the first, make sure audit=3D1 is there and in th=
e second=20
case, the output should be the uid under which you logged into the system.

-Steve
</pre>
    </blockquote>
    <blockquote>[root@test /root]# cat /proc/cmdline<br>
      ro root=3DLABEL=3D/ audit=3D1 rhgb quiet<br>
      <br>
      [root@test /root]# cat /proc/self/loginuid<br>
      0</blockquote>
    <br>
    To narrow the circle;<br>
    <br>
    we have some linux servers and a central log collector system. we
    are sending audit logs to this log system. this log collector system
    can parse such logs but this system confused at lines with
    "auid=3D4294967295" in audit logs.<br>
    <br>
    i have tried everything but still this lines are coming:<br>
    <blockquote>type=3DUSER_ACCT msg=3Daudit(1420656001.965:2804): user
      pid=3D6083 uid=3D0 auid=3D4294967295 msg=3D'PAM: accounting acct=3D=
"root" :
      exe=3D"/usr/sbin/crond" (hostname=3D?, addr=3D?, terminal=3Dcron
      res=3Dsuccess)'<br>
      type=3DCRED_ACQ msg=3Daudit(1420656001.966:2805): user pid=3D6083 u=
id=3D0
      auid=3D4294967295 msg=3D'PAM: setcred acct=3D"root" :
      exe=3D"/usr/sbin/crond" (hostname=3D?, addr=3D?, terminal=3Dcron
      res=3Dsuccess)'<br>
    </blockquote>
    and<br>
    <blockquote>[root@test /root]# cat /etc/pam.d/crond<br>
      #<br>
      # The PAM configuration file for the cron daemon<br>
      #<br>
      #<br>
      session=A0=A0=A0 required=A0=A0=A0=A0 pam_loginuid.so<br>
      auth=A0=A0=A0=A0=A0=A0 required=A0=A0=A0=A0 pam_unix.so<br>
      auth=A0=A0=A0=A0=A0=A0 required=A0=A0=A0=A0 pam_nologin.so<br>
      account=A0=A0=A0 required=A0=A0=A0=A0 pam_unix.so<br>
      password=A0=A0 required=A0=A0=A0=A0 pam_unix.so<br>
      session=A0=A0=A0 required=A0=A0=A0=A0 pam_unix.so<br>
    </blockquote>
    so is there any other hints or what can i do esle?<br>
  </body>
</html>

--------------000305060104020400010507--


--===============2543087715242905961==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 7bit


--===============2543087715242905961==--