auid=4294967295 issue
Steve Grubb
sgrubb at redhat.com
Mon Jan 12 14:54:35 UTC 2015
On Monday, January 12, 2015 12:12:02 PM Burak Gürer wrote:
> we have some linux servers and a central log collector system. we are
> sending audit logs to this log system. this log collector system can
> parse such logs but this system confused at lines with "auid=4294967295"
> in audit logs.
auid=4294967295 is the same as auid=-1 which means that its unset.
> i have tried everything but still this lines are coming:
>
> type=USER_ACCT msg=audit(1420656001.965:2804): user pid=6083 uid=0
> auid=4294967295 msg='PAM: accounting acct="root" :
> exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
> type=CRED_ACQ msg=audit(1420656001.966:2805): user pid=6083 uid=0
> auid=4294967295 msg='PAM: setcred acct="root" :
> exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
>
> and
>
> [root at test /root]# cat /etc/pam.d/crond
> #
> # The PAM configuration file for the cron daemon
> #
> #
> session required pam_loginuid.so
> auth required pam_unix.so
> auth required pam_nologin.so
> account required pam_unix.so
> password required pam_unix.so
> session required pam_unix.so
>
> so is there any other hints or what can i do esle?
Your pam file looks different than what is shipped. You might want to try the
default config file for crond:
auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth
-Steve
More information about the Linux-audit
mailing list