On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote: > So I was wondering if anyone had seen this. I have a set of nodes that > when we setup auditd on them the events we get back list the auid as > unset for basically everything except for login which shows up > correctly. Does anyone know where I may need to look at the config, > something in PAM or else where?
All entry point daemons should have a call to pam_loginuid in their pam stack. This would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also want audit=1 added to the kernel boot line. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
