Audit config for NISPOM req's

[Kirkwood, David A.]

Steve,

My pam.d directory shows:

atd:session     required        pam_loginuid.so
crond:session    required   pam_loginuid.so
gdm:session    required    pam_loginuid.so
gdm-autologin:session    required    pam_loginuid.so
kcheckpass:session    required    pam_loginuid.so
kdm:session    required    pam_loginuid.so
kdm-np:session    required     pam_loginuid.so
login:session    required     pam_loginuid.so
remote:session    required     pam_loginuid.so
sshd:session    required     pam_loginuid.so
wbem:session    required     pam_loginuid.so
xdm:session    required pam_loginuid.so


I added
 xcreensaver session required pam_loginuid.so
but it had no effect.

Is there anything else I missed?

Thanks,

Dave



-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com] 
Sent: Friday, January 12, 2007 2:50 PM
To: Kirkwood, David A.
Cc: linux-audit at redhat.com
Subject: Re: Audit config for NISPOM req's

On Friday 12 January 2007 13:45, Kirkwood, David A. wrote:
> Then when I execute aureport -w --failed, the auid field shows up as
-1
> as it does for every watch list. Am I missing something?

Yes. 

#cd /etc/pam.d
#grep loginuid *

See if you have that in your pam stack. You should see something like
this:

atd:session     required        pam_loginuid.so
crond:session    required   pam_loginuid.so
gdm:session    required    pam_loginuid.so
gdm-autologin:session    required    pam_loginuid.so
kcheckpass:session    required    pam_loginuid.so
kdm:session    required    pam_loginuid.so
kdm-np:session    required     pam_loginuid.so
kscreensaver:session    required    pam_loginuid.so
login:session    required     pam_loginuid.so
remote:session    required     pam_loginuid.so
sshd:session    required     pam_loginuid.so
vsftpd:session    required     pam_loginuid.so
xdm:session    required pam_loginuid.so

-Steve