[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: issue with file watches on Suse 10.1 using latest 2.6.18-rc4
From:       Amy Griffis <amy.griffis () hp ! com>
Date:       2006-08-10 15:40:41
Message-ID: 20060810154041.GA12092 () fc ! hp ! com
[Download RAW message or body]

Timothy R. Chavez wrote:  [Thu Aug 10 2006, 11:04:29AM EDT]
> On Wed, 2006-08-09 at 18:08 -0400, Rick Warner wrote:
> > Hello all,
> > 
> > I am trying to set up file watches for files such as /etc/passwd 
> > and /etc/shadow.  I am using Suse 10.1.  I have updated the kernel to a 
> > kernel.org 2.6.18-rc4 kernel, and have updated the audit userspace tools to 
> > version 1.2.3.  I can add filesystem watches with "auditctl -w /etc/passwd" 
> > successfully now.  Entries in the audit.log are created. 
> > 
> > The first problem is that when I use "aureport -w", it tells me "<no events of 
> > interest were found>".  Using "aureport -f" instead, it shows entries 
> > for /etc/passwd, but the auid column for all results is -1 (or "unset" if 
> > using the -i option to aureport).  Looking at the audit logfile, 
> > auid=4294967295 which then correlates to -1 when used as a signed vs unsigned 
> > int.
> > 
> > How can I fix this?
> > 
> 
> Rick,
> 
> I believe a special PAM package is used to capture the login uid (auid).
> I'm guessing that's where your problem lies.

pam_loginuid(8) has some helpful info.

[prev in list] [next in list] [prev in thread] [next in thread]