Re: AUID question
On Friday, November 14, 2014 10:16:12 AM David Flatley wrote:
While checking audit logs for failed logins, It was noticed that
the
AUID was one name and there was a UID of the user that failed login. The
only thing we can figure is that the AUID user rebooted the system
by logging in as himself and then using sudo to reboot the system prior to
the fails. Are we correct in this assumption?
Maybe. If the auid was someone with admin powers, they might have restarted a
daemon which would insert their auid into the daemon and then cause other
user's logins to be wrong. But generally when auid!=uid, then they have used
sudo or su.
-Steve