<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000066" bgcolor="#FFFFCC">
Hi Steve,<br>
<br>
thanks for your assistance,<br>
<br>
<blockquote cite="mid:2247361.QvknK8CF0u@x2" type="cite">
<pre wrap="">
For RHEL5, I know its enabled. But based on your questions above, you are
asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these,
# cat /proc/cmdline
and
# cat /proc/self/loginuid
would let you check. In the first, make sure audit=1 is there and in the second
case, the output should be the uid under which you logged into the system.
-Steve
</pre>
</blockquote>
<blockquote>[root@test /root]# cat /proc/cmdline<br>
ro root=LABEL=/ audit=1 rhgb quiet<br>
<br>
[root@test /root]# cat /proc/self/loginuid<br>
0</blockquote>
<br>
To narrow the circle;<br>
<br>
we have some linux servers and a central log collector system. we
are sending audit logs to this log system. this log collector system
can parse such logs but this system confused at lines with
"auid=4294967295" in audit logs.<br>
<br>
i have tried everything but still this lines are coming:<br>
<blockquote>type=USER_ACCT msg=audit(1420656001.965:2804): user
pid=6083 uid=0 auid=4294967295 msg='PAM: accounting acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
res=success)'<br>
type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
auid=4294967295 msg='PAM: setcred acct="root" :
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
res=success)'<br>
</blockquote>
and<br>
<blockquote>[root@test /root]# cat /etc/pam.d/crond<br>
#<br>
# The PAM configuration file for the cron daemon<br>
#<br>
#<br>
session required pam_loginuid.so<br>
auth required pam_unix.so<br>
auth required pam_nologin.so<br>
account required pam_unix.so<br>
password required pam_unix.so<br>
session required pam_unix.so<br>
</blockquote>
so is there any other hints or what can i do esle?<br>
</body>
</html>