* why auid always unset?
@ 2013-07-23 22:49 zhu xiuming
2013-07-23 23:37 ` zhu xiuming
2013-07-24 13:53 ` Steve Grubb
0 siblings, 2 replies; 7+ messages in thread
From: zhu xiuming @ 2013-07-23 22:49 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 244 bytes --]
I read my audit logs.I always see lots of auid values are 4294967295. Even
when I delete a file, the value is still 4294967295?
I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still
the same value?
I wonder what is wrong?
[-- Attachment #1.2: Type: text/html, Size: 288 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: why auid always unset?
2013-07-23 22:49 why auid always unset? zhu xiuming
@ 2013-07-23 23:37 ` zhu xiuming
2013-07-24 13:53 ` Steve Grubb
1 sibling, 0 replies; 7+ messages in thread
From: zhu xiuming @ 2013-07-23 23:37 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 407 bytes --]
BTW, I put audit=1 to my grub.conf and restarted my host. Still the same
On Tue, Jul 23, 2013 at 3:49 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
> I read my audit logs.I always see lots of auid values are 4294967295. Even
> when I delete a file, the value is still 4294967295?
> I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is
> still the same value?
> I wonder what is wrong?
>
[-- Attachment #1.2: Type: text/html, Size: 745 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: why auid always unset?
2013-07-23 22:49 why auid always unset? zhu xiuming
2013-07-23 23:37 ` zhu xiuming
@ 2013-07-24 13:53 ` Steve Grubb
2013-07-25 22:35 ` zhu xiuming
1 sibling, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2013-07-24 13:53 UTC (permalink / raw)
To: linux-audit
On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote:
> I read my audit logs.I always see lots of auid values are 4294967295. Even
> when I delete a file, the value is still 4294967295?
In a normal system, there will be some events with 4294967295. These should be
daemons and system events. Anything caused by a user should have the auid set
to their uid. This is done by pam_loginuid.
> I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still
> the same value?
> I wonder what is wrong?
cat /proc/self/loginuid
If that shows the account you logged in with, its working. If not, then
something is wrong with pam or the kernel.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: why auid always unset?
2013-07-24 13:53 ` Steve Grubb
@ 2013-07-25 22:35 ` zhu xiuming
2013-07-25 23:54 ` Steve Grubb
0 siblings, 1 reply; 7+ messages in thread
From: zhu xiuming @ 2013-07-25 22:35 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 1308 bytes --]
Thanks.
I removed quiet from gruf.conf and I see from the output at boot.
I do see like
start audit [ok]
The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
However, I do see lots of events the auid is 0. I even see auid change
reflect in the event.
Like
type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
uid=root old auid=unset new auid=root
So, I am really confused.
On Wed, Jul 24, 2013 at 6:53 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote:
> > I read my audit logs.I always see lots of auid values are 4294967295.
> Even
> > when I delete a file, the value is still 4294967295?
>
> In a normal system, there will be some events with 4294967295. These
> should be
> daemons and system events. Anything caused by a user should have the auid
> set
> to their uid. This is done by pam_loginuid.
>
> > I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is
> still
> > the same value?
> > I wonder what is wrong?
>
> cat /proc/self/loginuid
>
> If that shows the account you logged in with, its working. If not, then
> something is wrong with pam or the kernel.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
[-- Attachment #1.2: Type: text/html, Size: 2301 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: why auid always unset?
2013-07-25 22:35 ` zhu xiuming
@ 2013-07-25 23:54 ` Steve Grubb
2013-07-25 23:58 ` zhu xiuming
0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2013-07-25 23:54 UTC (permalink / raw)
To: zhu xiuming; +Cc: Linux-audit@redhat.com
On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote:
> The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
>
> However, I do see lots of events the auid is 0. I even see auid change
> reflect in the event.
> Like
>
> type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
> uid=root old auid=unset new auid=root
This would be a root login. Which should be forbidden since root is a shared
account amongst admins.
> So, I am really confused.
Something is wrong in your pam setup. You might check the compile flags or if
pam_loginuid is in the right section. But that is undoubtedly the problem.
-Steve
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: why auid always unset?
2013-07-25 23:54 ` Steve Grubb
@ 2013-07-25 23:58 ` zhu xiuming
2013-07-26 21:20 ` zhu xiuming
0 siblings, 1 reply; 7+ messages in thread
From: zhu xiuming @ 2013-07-25 23:58 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 861 bytes --]
So, what should be the right settings for pam_loginuid? Is there any
documentation ?
thanks a lot
On Thu, Jul 25, 2013 at 4:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote:
> > The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
> >
> > However, I do see lots of events the auid is 0. I even see auid change
> > reflect in the event.
> > Like
> >
> > type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
> > uid=root old auid=unset new auid=root
>
> This would be a root login. Which should be forbidden since root is a
> shared
> account amongst admins.
>
>
> > So, I am really confused.
>
> Something is wrong in your pam setup. You might check the compile flags or
> if
> pam_loginuid is in the right section. But that is undoubtedly the problem.
>
> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 1366 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: why auid always unset?
2013-07-25 23:58 ` zhu xiuming
@ 2013-07-26 21:20 ` zhu xiuming
0 siblings, 0 replies; 7+ messages in thread
From: zhu xiuming @ 2013-07-26 21:20 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 1129 bytes --]
HI,
Finally, I found it out the order of pam_loginuid was wrong. It should be
the first part of session required modules.
Now, it works
Thanks a lot
On Thu, Jul 25, 2013 at 4:58 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:
> So, what should be the right settings for pam_loginuid? Is there any
> documentation ?
>
> thanks a lot
>
>
> On Thu, Jul 25, 2013 at 4:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote:
>> > The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
>> >
>> > However, I do see lots of events the auid is 0. I even see auid change
>> > reflect in the event.
>> > Like
>> >
>> > type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
>> > uid=root old auid=unset new auid=root
>>
>> This would be a root login. Which should be forbidden since root is a
>> shared
>> account amongst admins.
>>
>>
>> > So, I am really confused.
>>
>> Something is wrong in your pam setup. You might check the compile flags
>> or if
>> pam_loginuid is in the right section. But that is undoubtedly the problem.
>>
>> -Steve
>>
>
>
[-- Attachment #1.2: Type: text/html, Size: 1974 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-07-26 21:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-23 22:49 why auid always unset? zhu xiuming
2013-07-23 23:37 ` zhu xiuming
2013-07-24 13:53 ` Steve Grubb
2013-07-25 22:35 ` zhu xiuming
2013-07-25 23:54 ` Steve Grubb
2013-07-25 23:58 ` zhu xiuming
2013-07-26 21:20 ` zhu xiuming
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.