Le Thu, 5 Jun 2014 19:34:04 +0200, Laurent Bigonville <[email protected]> a écrit :
> Le Wed, 04 Jun 2014 19:04:52 -0400, > Steve Grubb <[email protected]> a écrit : [...] > > You are missing a type=LOGIN event right here. If you do a "cat > > /proc/self/loginuid" and its set to something besides -1, we have a > > kernel bug. > > > > > Actually, my grepping was wrong, I'm seeing this the following line > too: > > type=LOGIN msg=audit(1401921359.597:1397): pid=15760 uid=0 > old-auid=4294967295 new-auid=1002 old-ses=4294967295 new-ses=66 res=1 Any idea here then? Regarding "/proc/self/loginuid" it's always set to the uid of the user here. Looking at aulast code, I can see that there are differences for kernels before or after 3.13. My machine is running 3.14, could this be related? Cheers, Laurent Bigonville -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
