[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Linux Audit Framework question



Hello,

I write you because i do not know how to go further without solving my problem.
When a user switches from username to root using sudo su - this action is audited by LAF but since that change the user-id in the LAF logfile is 0 for root user. If my user uses chmod afterwords to change file permissions i can not see which user did the change because user-id is 0 and the auditid is always 4294967295.
Can you tell me how it is possible to trace the user after switching to root ??


Thanks in advance,
Jan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]