From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auid field when switching user Date: Wed, 06 May 2015 10:56:08 -0400 Message-ID: <2619501.3BvT2m2UX6@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > I'm trying to use auditd to log all actions made by the users on the > system. This part works fine. > > The documentation mention the "auid" field to identify the user from the > first connection "even" when the user's identity changes (like with a su): Correct. > auid=500 > The auid field records the Audit user ID, that is the loginuid. This ID is > assigned to a user upon login and is inherited by every process even when > the user's identity changes (for example, by switching user accounts with > the su - john command). > > But this is not working. If I log with the user "test" (uid 1000) when I > switch to the user root, the value of auid is 0 (the uid of root). How did you switch the user? I would like to try recreating the issue. It may be that the underlying implementation actually does log you out. You'd have to look for one of: AUDIT_USER_LOGOUT - User has logged out AUDIT_USER_END - User session end AUDIT_CRED_DISP - User credential disposed -Steve