I'm trying to use auditd to log all actions made by the users on the system. This part works fine. The documentation mention the "auid" field to identify the user from the first connection "even" when the user's identity changes (like with a su):

auid=500 The auid field records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with the su - john command). But this is not working. If I log with the user "test" (uid 1000) when I switch to the user root, the value of auid is 0 (the uid of root).

On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote: > Hello, > > On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > > I'm trying to use auditd to log all actions made by the users on the > > system. This part works fine. > > > > The documentation mention the "auid" field to identify the user from the > > first connection "even" when the user's identity changes (like with a su): > > Correct. > > > auid=500 > > The auid field records the Audit user ID, that is the loginuid. This ID is > > assigned to a user upon login and is inherited by every process even when > > the user's identity changes (for example, by switching user accounts with > > the su - john command). > > > > But this is not working. If I log with the user "test" (uid 1000) when I > > switch to the user root, the value of auid is 0 (the uid of root). > > How did you switch the user? I would like to try recreating the issue. It may > be that the underlying implementation actually does log you out. You'd have to > look for one of: > > AUDIT_USER_LOGOUT - User has logged out > AUDIT_USER_END - User session end > AUDIT_CRED_DISP - User credential disposed > Perhaps pam_loginuid hasn't been applied in /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat} When searching for the module, do you see something like # grep pam_loginuid /etc/pam.d/* /etc/pam.d/atd:session required pam_loginuid.so /etc/pam.d/crond:session required pam_loginuid.so /etc/pam.d/gdm:session required pam_loginuid.so /etc/pam.d/gdm-autologin:session required pam_loginuid.so /etc/pam.d/gdm-fingerprint:session required pam_loginuid.so /etc/pam.d/gdm-password:session required pam_loginuid.so /etc/pam.d/login:session required pam_loginuid.so /etc/pam.d/remote:session required pam_loginuid.so /etc/pam.d/sshd:session required pam_loginuid.so /etc/pam.d/ssh-keycat:session required pam_loginuid.so # If not, then read up on how to use required pam modules. > > -Steve > > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit