Linux Audit Framework question

Wednesday, 20 June 2012

Hello,

I write you because i do not know how to go further without solving my problem.
When a user switches from username to root using sudo su - this action is audited by LAF
but since that change the user-id in the LAF logfile is 0 for root user. If my user uses
chmod afterwords to change file permissions i can not see which user did the change
because user-id is 0 and the auditid is always 4294967295.
Can you tell me how it is possible to trace the user after switching to root ??

Thanks in advance,
Jan

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux Audit Framework question