auid?

auid?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 340 bytes --]

Hey all,

I'm trying to find a definition of "auid", besides "audit UID". If user Joe
with UID 1814 logs in and sudo to application account "british" which has a
UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an
"su -" to root, is their auid 0?

Thanks!

Leam


-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 561 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auid?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 1634 bytes --]

James, thanks! I thought that was it, but I have to brief on recommended
audit.rules changes and hate telling someone something when I'm not sure.

Leam


On Tue, Oct 29, 2013 at 3:43 PM, CHAPLIN, JAMES (CTR) <
JAMES.CHAPLIN@cbp.dhs.gov> wrote:

>  His auid will be 1814 and does not change as long as he is log into that
> account, he can su to any ID, but the auid remains the same.****
>
> ** **
>
> James Chaplin, ITIL® v3 Foundation
> Systems Programmer, MVS, zVM & zLinux
> Base Technologies, a CA Technologies Company
> Supporting the zSeries Platform Team
> ****Data** **Center**** Operations Branch
> Enterprise Data Center Operations Group
> ****Enterprise**** Data Management & Engineering Division
> Office of Information and Technology
> Department of Homeland Security/U.S. Customs & Border Protection
> (703) 921-6220
> James.Chaplin@cbp.dhs.gov****
>
>  [image: image005]****
>
> ** **
>
> *From:* linux-audit-bounces@redhat.com [mailto:
> linux-audit-bounces@redhat.com] *On Behalf Of *leam hall
> *Sent:* Tuesday, October 29, 2013 3:40 PM
> *To:* linux-audit@redhat.com
> *Subject:* auid?****
>
> ** **
>
> Hey all,
>
> I'm trying to find a definition of "auid", besides "audit UID". If user
> Joe with UID 1814 logs in and sudo to application account "british" which
> has a UID of 1776, is the auid of Joe's action 1814 or 1776? If someone
> does an "su -" to root, is their auid 0?****
>
> Thanks!****
>
> Leam
>
> ****
>
>
> -- ****
>
> Mind on a Mission <http://leamhall.blogspot.com/>****
>



-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 4727 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auid?

[Steve Grubb]

On Tuesday, October 29, 2013 03:39:35 PM leam hall wrote:
> I'm trying to find a definition of "auid", besides "audit UID". If user Joe
> with UID 1814 logs in and sudo to application account "british" which has a
> UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an
> "su -" to root, is their auid 0?

auid is also known as the loginuid. its the account that you enter the system 
with. Since root is a shared accound amongst admins, you should also forbid 
logging in under root. The auid should never change during the life of your 
session. Which brings up another point. At login, you also get a session id 
(ses) which is also inherited by all processes in your session. This allows 
the audit system to disambiguate the actions of two simultaneous logins to the 
same account.

-Steve