auid field when switching user
Steve Grubb
sgrubb at redhat.com
Wed May 6 14:56:08 UTC 2015
Hello,
On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> I'm trying to use auditd to log all actions made by the users on the
> system. This part works fine.
>
> The documentation mention the "auid" field to identify the user from the
> first connection "even" when the user's identity changes (like with a su):
Correct.
> auid=500
> The auid field records the Audit user ID, that is the loginuid. This ID is
> assigned to a user upon login and is inherited by every process even when
> the user's identity changes (for example, by switching user accounts with
> the su - john command).
>
> But this is not working. If I log with the user "test" (uid 1000) when I
> switch to the user root, the value of auid is 0 (the uid of root).
How did you switch the user? I would like to try recreating the issue. It may
be that the underlying implementation actually does log you out. You'd have to
look for one of:
AUDIT_USER_LOGOUT - User has logged out
AUDIT_USER_END - User session end
AUDIT_CRED_DISP - User credential disposed
-Steve
More information about the Linux-audit
mailing list