Discussion:
why auid always unset?
zhu xiuming
2013-07-23 22:49:31 UTC
Permalink
I read my audit logs.I always see lots of auid values are 4294967295. Even
when I delete a file, the value is still 4294967295?
I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still
the same value?
I wonder what is wrong?
zhu xiuming
2013-07-23 23:37:35 UTC
Permalink
BTW, I put audit=1 to my grub.conf and restarted my host. Still the same
Post by zhu xiuming
I read my audit logs.I always see lots of auid values are 4294967295. Even
when I delete a file, the value is still 4294967295?
I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is
still the same value?
I wonder what is wrong?
Steve Grubb
2013-07-24 13:53:29 UTC
Permalink
Post by zhu xiuming
I read my audit logs.I always see lots of auid values are 4294967295. Even
when I delete a file, the value is still 4294967295?
In a normal system, there will be some events with 4294967295. These should be
daemons and system events. Anything caused by a user should have the auid set
to their uid. This is done by pam_loginuid.
Post by zhu xiuming
I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still
the same value?
I wonder what is wrong?
cat /proc/self/loginuid

If that shows the account you logged in with, its working. If not, then
something is wrong with pam or the kernel.

-Steve
zhu xiuming
2013-07-25 22:35:52 UTC
Permalink
Thanks.
I removed quiet from gruf.conf and I see from the output at boot.
I do see like
start audit [ok]

The problem is, cat /proc/self/loginuid is still 4294967295 if I login.

However, I do see lots of events the auid is 0. I even see auid change
reflect in the event.
Like

type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
uid=root old auid=unset new auid=root

So, I am really confused.
Post by Steve Grubb
Post by zhu xiuming
I read my audit logs.I always see lots of auid values are 4294967295.
Even
Post by zhu xiuming
when I delete a file, the value is still 4294967295?
In a normal system, there will be some events with 4294967295. These should be
daemons and system events. Anything caused by a user should have the auid set
to their uid. This is done by pam_loginuid.
Post by zhu xiuming
I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is
still
Post by zhu xiuming
the same value?
I wonder what is wrong?
cat /proc/self/loginuid
If that shows the account you logged in with, its working. If not, then
something is wrong with pam or the kernel.
-Steve
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Steve Grubb
2013-07-25 23:54:01 UTC
Permalink
Post by zhu xiuming
The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
However, I do see lots of events the auid is 0. I even see auid change
reflect in the event.
Like
type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
uid=root old auid=unset new auid=root
This would be a root login. Which should be forbidden since root is a shared
account amongst admins.
Post by zhu xiuming
So, I am really confused.
Something is wrong in your pam setup. You might check the compile flags or if
pam_loginuid is in the right section. But that is undoubtedly the problem.

-Steve
zhu xiuming
2013-07-25 23:58:21 UTC
Permalink
So, what should be the right settings for pam_loginuid? Is there any
documentation ?

thanks a lot
Post by Steve Grubb
Post by zhu xiuming
The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
However, I do see lots of events the auid is 0. I even see auid change
reflect in the event.
Like
type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
uid=root old auid=unset new auid=root
This would be a root login. Which should be forbidden since root is a shared
account amongst admins.
Post by zhu xiuming
So, I am really confused.
Something is wrong in your pam setup. You might check the compile flags or if
pam_loginuid is in the right section. But that is undoubtedly the problem.
-Steve
zhu xiuming
2013-07-26 21:20:04 UTC
Permalink
HI,
Finally, I found it out the order of pam_loginuid was wrong. It should be
the first part of session required modules.
Now, it works
Thanks a lot
Post by zhu xiuming
So, what should be the right settings for pam_loginuid? Is there any
documentation ?
thanks a lot
Post by Steve Grubb
Post by zhu xiuming
The problem is, cat /proc/self/loginuid is still 4294967295 if I login.
However, I do see lots of events the auid is 0. I even see auid change
reflect in the event.
Like
type=LOGIN msg=audit(07/20/2013 17:45:01.502:40221) : login pid=4952
uid=root old auid=unset new auid=root
This would be a root login. Which should be forbidden since root is a shared
account amongst admins.
Post by zhu xiuming
So, I am really confused.
Something is wrong in your pam setup. You might check the compile flags or if
pam_loginuid is in the right section. But that is undoubtedly the problem.
-Steve
Loading...