Are you sure you have pam_loginuid.so configured in the appropriate /etc/pam.d/* files, such as login and sshd?
I checked the login file and it matches yours, I am not using ssh on this machine.
I'm running the .41 kernel and the audit-1.2.4 tools and the auid is correct in the audit records on my system.
Most of the time, mine is correct as well. It seems to occur sporadically. Usually, a reboot will fix the problem.
Steve
I am receiving audit events with an odd auid... I am not sure if this is something wrong in the kernel or in audit. The auid I am receiving is 4294967295 (the max value for an unsigned long). The other uid/gid information is normal. I have seen this on all audit versions since audit-1.2.3, and noticed it using the following kernels: 2.6.17-1.2293.2.2_FC6.lspp.38.i686 2.6.17-1.2293.2.2_FC6.lspp.44.i686 The first time I noticed this was after the filter_key patch I applied to audit-1.2.3, but it may have nothing to do with that patch. I mentioned it then: https://www.redhat.com/archives/linux-audit/2006-June/msg00086.html There is an example record from the audit dispatcher there. These events are coming straight from the real-time audit dispatcher. Steve
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
