All of lore.kernel.org
 help / color / mirror / Atom feed
* why auid always unset?
@ 2013-07-23 22:49 zhu xiuming
  2013-07-23 23:37 ` zhu xiuming
  2013-07-24 13:53 ` Steve Grubb
  0 siblings, 2 replies; 7+ messages in thread
From: zhu xiuming @ 2013-07-23 22:49 UTC (permalink / raw)
  To: Linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 244 bytes --]

I read my audit logs.I always see lots of auid values are 4294967295. Even
when I delete a file, the value is still 4294967295?
I added pam_loginuid to  gdm, login, kdm, sshd, vsftpd. Howver, it is still
the same value?
I wonder what is wrong?

[-- Attachment #1.2: Type: text/html, Size: 288 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: why auid always unset?
  2013-07-23 22:49 why auid always unset? zhu xiuming
@ 2013-07-23 23:37 ` zhu xiuming
  2013-07-24 13:53 ` Steve Grubb
  1 sibling, 0 replies; 7+ messages in thread
From: zhu xiuming @ 2013-07-23 23:37 UTC (permalink / raw)
  To: Linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 407 bytes --]

BTW, I put audit=1 to my grub.conf and restarted my host. Still the same


On Tue, Jul 23, 2013 at 3:49 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:

> I read my audit logs.I always see lots of auid values are 4294967295. Even
> when I delete a file, the value is still 4294967295?
> I added pam_loginuid to  gdm, login, kdm, sshd, vsftpd. Howver, it is
> still the same value?
> I wonder what is wrong?
>

[-- Attachment #1.2: Type: text/html, Size: 745 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: why auid always unset?
  2013-07-23 22:49 why auid always unset? zhu xiuming
  2013-07-23 23:37 ` zhu xiuming
@ 2013-07-24 13:53 ` Steve Grubb
  2013-07-25 22:35   ` zhu xiuming
  1 sibling, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2013-07-24 13:53 UTC (permalink / raw)
  To: linux-audit

On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote:
> I read my audit logs.I always see lots of auid values are 4294967295. Even
> when I delete a file, the value is still 4294967295?

In a normal system, there will be some events with 4294967295. These should be 
daemons and system events. Anything caused by a user should have the auid set 
to their uid. This is done by pam_loginuid.

> I added pam_loginuid to  gdm, login, kdm, sshd, vsftpd. Howver, it is still
> the same value?
> I wonder what is wrong?

cat /proc/self/loginuid

If that shows the account you logged in with, its working. If not, then 
something is wrong with pam or the kernel.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: why auid always unset?
  2013-07-24 13:53 ` Steve Grubb
@ 2013-07-25 22:35   ` zhu xiuming
  2013-07-25 23:54     ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: zhu xiuming @ 2013-07-25 22:35 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 1308 bytes --]

Thanks.
I removed quiet from gruf.conf and I see from the output at boot.
I do see like
start audit [ok]

The problem is, cat /proc/self/loginuid is still 4294967295 if I login.

However, I do see lots of events the auid is 0.  I even see auid change
reflect in the event.
Like

type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
uid=root old auid=unset new auid=root

So, I am really confused.





On Wed, Jul 24, 2013 at 6:53 AM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote:
> > I read my audit logs.I always see lots of auid values are 4294967295.
> Even
> > when I delete a file, the value is still 4294967295?
>
> In a normal system, there will be some events with 4294967295. These
> should be
> daemons and system events. Anything caused by a user should have the auid
> set
> to their uid. This is done by pam_loginuid.
>
> > I added pam_loginuid to  gdm, login, kdm, sshd, vsftpd. Howver, it is
> still
> > the same value?
> > I wonder what is wrong?
>
> cat /proc/self/loginuid
>
> If that shows the account you logged in with, its working. If not, then
> something is wrong with pam or the kernel.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 2301 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: why auid always unset?
  2013-07-25 22:35   ` zhu xiuming
@ 2013-07-25 23:54     ` Steve Grubb
  2013-07-25 23:58       ` zhu xiuming
  0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2013-07-25 23:54 UTC (permalink / raw)
  To: zhu xiuming; +Cc: Linux-audit@redhat.com

On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote:
> The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
> 
> However, I do see lots of events the auid is 0.  I even see auid change
> reflect in the event.
> Like
> 
> type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
> uid=root old auid=unset new auid=root

This would be a root login. Which should be forbidden since root is a shared 
account amongst admins.


> So, I am really confused.

Something is wrong in your pam setup. You might check the compile flags or if 
pam_loginuid is in the right section. But that is undoubtedly the problem.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: why auid always unset?
  2013-07-25 23:54     ` Steve Grubb
@ 2013-07-25 23:58       ` zhu xiuming
  2013-07-26 21:20         ` zhu xiuming
  0 siblings, 1 reply; 7+ messages in thread
From: zhu xiuming @ 2013-07-25 23:58 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 861 bytes --]

So, what should be the right settings for pam_loginuid? Is there any
documentation ?

thanks a lot


On Thu, Jul 25, 2013 at 4:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote:
> > The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
> >
> > However, I do see lots of events the auid is 0.  I even see auid change
> > reflect in the event.
> > Like
> >
> > type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
> > uid=root old auid=unset new auid=root
>
> This would be a root login. Which should be forbidden since root is a
> shared
> account amongst admins.
>
>
> > So, I am really confused.
>
> Something is wrong in your pam setup. You might check the compile flags or
> if
> pam_loginuid is in the right section. But that is undoubtedly the problem.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 1366 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: why auid always unset?
  2013-07-25 23:58       ` zhu xiuming
@ 2013-07-26 21:20         ` zhu xiuming
  0 siblings, 0 replies; 7+ messages in thread
From: zhu xiuming @ 2013-07-26 21:20 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Linux-audit@redhat.com


[-- Attachment #1.1: Type: text/plain, Size: 1129 bytes --]

HI,
Finally, I found it out  the order of pam_loginuid was wrong. It should be
the first part of session required modules.
Now, it works
Thanks a lot



On Thu, Jul 25, 2013 at 4:58 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:

> So, what should be the right settings for pam_loginuid? Is there any
> documentation ?
>
> thanks a lot
>
>
> On Thu, Jul 25, 2013 at 4:54 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Thursday, July 25, 2013 03:35:52 PM zhu xiuming wrote:
>> > The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
>> >
>> > However, I do see lots of events the auid is 0.  I even see auid change
>> > reflect in the event.
>> > Like
>> >
>> > type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
>> > uid=root old auid=unset new auid=root
>>
>> This would be a root login. Which should be forbidden since root is a
>> shared
>> account amongst admins.
>>
>>
>> > So, I am really confused.
>>
>> Something is wrong in your pam setup. You might check the compile flags
>> or if
>> pam_loginuid is in the right section. But that is undoubtedly the problem.
>>
>> -Steve
>>
>
>

[-- Attachment #1.2: Type: text/html, Size: 1974 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-07-26 21:20 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-23 22:49 why auid always unset? zhu xiuming
2013-07-23 23:37 ` zhu xiuming
2013-07-24 13:53 ` Steve Grubb
2013-07-25 22:35   ` zhu xiuming
2013-07-25 23:54     ` Steve Grubb
2013-07-25 23:58       ` zhu xiuming
2013-07-26 21:20         ` zhu xiuming

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.