Timothy R. Chavez wrote: [Thu Aug 10 2006, 11:04:29AM EDT] > On Wed, 2006-08-09 at 18:08 -0400, Rick Warner wrote: > > Hello all, > > > > I am trying to set up file watches for files such as /etc/passwd > > and /etc/shadow. I am using Suse 10.1. I have updated the kernel to a > > kernel.org 2.6.18-rc4 kernel, and have updated the audit userspace tools to > > version 1.2.3. I can add filesystem watches with "auditctl -w /etc/passwd" > > successfully now. Entries in the audit.log are created. > > > > The first problem is that when I use "aureport -w", it tells me "<no events > > of > > interest were found>". Using "aureport -f" instead, it shows entries > > for /etc/passwd, but the auid column for all results is -1 (or "unset" if > > using the -i option to aureport). Looking at the audit logfile, > > auid=4294967295 which then correlates to -1 when used as a signed vs > > unsigned > > int. > > > > How can I fix this? > > > > Rick, > > I believe a special PAM package is used to capture the login uid (auid). > I'm guessing that's where your problem lies.
pam_loginuid(8) has some helpful info. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
