James, thanks! I thought that was it, but I have to brief on recommended audit.rules changes and hate telling someone something when I'm not sure.

Leam


On Tue, Oct 29, 2013 at 3:43 PM, CHAPLIN, JAMES (CTR) <JAMES.CHAPLIN@cbp.dhs.gov> wrote:

His auid will be 1814 and does not change as long as he is log into that account, he can su to any ID, but the auid remains the same.

 

James Chaplin, ITIL® v3 Foundation
Systems Programmer, MVS, zVM & zLinux
Base Technologies, a CA Technologies Company
Supporting the zSeries Platform Team
Data Center Operations Branch
Enterprise Data Center Operations Group
Enterprise Data Management & Engineering Division
Office of Information and Technology
Department of Homeland Security/U.S. Customs & Border Protection
(703) 921-6220
James.Chaplin@cbp.dhs.gov

 image005

 

From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of leam hall
Sent: Tuesday, October 29, 2013 3:40 PM
To: linux-audit@redhat.com
Subject: auid?

 

Hey all,

I'm trying to find a definition of "auid", besides "audit UID". If user Joe with UID 1814 logs in and sudo to application account "british" which has a UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an "su -" to root, is their auid 0?

Thanks!

Leam




--
Mind on a Mission