EXT :Need help, we are receiving type=SYSCALL with auid=unset event entries

Briane Lin brlin at us.ibm.com
Wed Jun 4 19:28:32 UTC 2014 

Thanks Kevin.

The systems are at RHEL server release 6.5 (Santiago)

audit.conf and audit.rules shown below from two systems.


 
 


 



 
 


 



Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin at us.ibm.com
(Office): (720) 395-2049

"The only easy day was yesterday." 
     - US Navy Seals -





From:   "Boyce, Kevin P (AS)" <Kevin.Boyce at ngc.com>
To:     Briane Lin/Phoenix/IBM at IBMUS
Date:   06/04/2014 07:00 AM
Subject:        RE: EXT :Need help, we are receiving type=SYSCALL with 
auid=unset event entries



You might get some better help if you can be a bit more specific.
What version of auditd, kernel, etc. are you running?
What do the contents of your audit.rules and auditd.conf files look like?
 
 
 
From: linux-audit-bounces at redhat.com [
mailto:linux-audit-bounces at redhat.com] On Behalf Of Briane Lin
Sent: Tuesday, June 03, 2014 4:29 PM
To: linux-audit at redhat.com
Subject: EXT :Need help, we are receiving type=SYSCALL with auid=unset 
event entries
 
We are receiving LINUX RHEL versions 5 and 6 in our environment with 
type=SYSCALL and auid=unset event types. 

We are unable to properly monitor an event with AUID=unset, does anyone 
know why we are currently seeing these and what is the resolution? 

Thanks! 

Briane Lin 
IBM Global Technology Services - Americas 
Identity and Access Management, Automation Solutions
(Email): brlin at us.ibm.com 
(Office): (720) 395-2049 

"The only easy day was yesterday." 
    - US Navy Seals - 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140604/26670c20/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 40899 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140604/26670c20/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 46271 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140604/26670c20/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 44700 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140604/26670c20/attachment-0002.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 37978 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140604/26670c20/attachment-0003.jpe>

More information about the Linux-audit mailing list