Re: auid field when switching user
Hello,
On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
I'm trying to use auditd to log all actions made by the users on
the
system. This part works fine.
The documentation mention the "auid" field to identify the user from the
first connection "even" when the user's identity changes (like with a su):
Correct.
auid=500
The auid field records the Audit user ID, that is the loginuid. This ID is
assigned to a user upon login and is inherited by every process even when
the user's identity changes (for example, by switching user accounts with
the su - john command).
But this is not working. If I log with the user "test" (uid 1000) when I
switch to the user root, the value of auid is 0 (the uid of root).
How did you switch the user? I would like to try recreating the issue. It may
be that the underlying implementation actually does log you out. You'd have to
look for one of:
AUDIT_USER_LOGOUT - User has logged out
AUDIT_USER_END - User session end
AUDIT_CRED_DISP - User credential disposed
-Steve