On Tuesday, October 29, 2013 03:39:35 PM leam hall wrote:
I'm trying to find a definition of "auid", besides
"audit UID". If user Joe
with UID 1814 logs in and sudo to application account "british" which has a
UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an
"su -" to root, is their auid 0?
auid is also known as the loginuid. its the account that you enter the system
with. Since root is a shared accound amongst admins, you should also forbid
logging in under root. The auid should never change during the life of your
session. Which brings up another point. At login, you also get a session id
(ses) which is also inherited by all processes in your session. This allows
the audit system to disambiguate the actions of two simultaneous logins to the
same account.
-Steve