Are you sure you have pam_loginuid.so configured in the appropriate /etc/pam.d/* files, such as login and sshd?
I'm running the .41 kernel and the audit-1.2.4 tools and the auid is correct in the audit records on my system. This is what my /etc/pam.d/login file looks like: #%PAM-1.0 auth required pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open -- ljk Steve wrote: > I am receiving audit events with an odd auid... I am not sure if this > is something wrong in the kernel or in audit. The auid I am receiving > is 4294967295 (the max value for an unsigned long). The other uid/gid > information is normal. > > I have seen this on all audit versions since audit-1.2.3, and noticed it > using the following kernels: > > 2.6.17-1.2293.2.2_FC6.lspp.38.i686 > 2.6.17-1.2293.2.2_FC6.lspp.44.i686 > > The first time I noticed this was after the filter_key patch I applied > to audit-1.2.3, but it may have nothing to do with that patch. I > mentioned it then: > > https://www.redhat.com/archives/linux-audit/2006-June/msg00086.html > > There is an example record from the audit dispatcher there. > > These events are coming straight from the real-time audit dispatcher. > > Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
