On Tuesday, July 23, 2013 03:49:31 PM zhu xiuming wrote: > I read my audit logs.I always see lots of auid values are 4294967295. Even > when I delete a file, the value is still 4294967295?
In a normal system, there will be some events with 4294967295. These should be daemons and system events. Anything caused by a user should have the auid set to their uid. This is done by pam_loginuid. > I added pam_loginuid to gdm, login, kdm, sshd, vsftpd. Howver, it is still > the same value? > I wonder what is wrong? cat /proc/self/loginuid If that shows the account you logged in with, its working. If not, then something is wrong with pam or the kernel. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit