Thanks. I removed quiet from gruf.conf and I see from the output at boot. I do see like start audit [ok]
The problem is, cat /proc/self/loginuid is still 4294967295 if I login. However, I do see lots of events the auid is 0. I even see auid change reflect in the event. Like type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952 uid=root old auid=unset new auid=root So, I am really confused. On Wed, Jul 24, 2013 at 6:53 AM, Steve Grubb <[email protected]> wrote: > On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote: > > I read my audit logs.I always see lots of auid values are 4294967295. > Even > > when I delete a file, the value is still 4294967295? > > In a normal system, there will be some events with 4294967295. These > should be > daemons and system events. Anything caused by a user should have the auid > set > to their uid. This is done by pam_loginuid. > > > I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is > still > > the same value? > > I wonder what is wrong? > > cat /proc/self/loginuid > > If that shows the account you logged in with, its working. If not, then > something is wrong with pam or the kernel. > > -Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
