auid=4294967295 issue

Steve Grubb sgrubb at redhat.com
Mon Jan 12 14:54:35 UTC 2015 

On Monday, January 12, 2015 12:12:02 PM Burak Gürer wrote:
> we have some linux servers and a central log collector system. we are
> sending audit logs to this log system. this log collector system can
> parse such logs but this system confused at lines with "auid=4294967295"
> in audit logs.

auid=4294967295 is the same as auid=-1 which means that its unset.


> i have tried everything but still this lines are coming:
> 
>     type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
>     auid=4294967295 msg='PAM: accounting acct="root" :
>     exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
>     type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
>     auid=4294967295 msg='PAM: setcred acct="root" :
>     exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
> 
> and
> 
>     [root at test /root]# cat /etc/pam.d/crond
>     #
>     # The PAM configuration file for the cron daemon
>     #
>     #
>     session    required     pam_loginuid.so
>     auth       required     pam_unix.so
>     auth       required     pam_nologin.so
>     account    required     pam_unix.so
>     password   required     pam_unix.so
>     session    required     pam_unix.so
> 
> so is there any other hints or what can i do esle?

Your pam file looks different than what is shipped. You might want to try the 
default config file for crond:

auth	   sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

-Steve

More information about the Linux-audit mailing list