From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auid? Date: Tue, 29 Oct 2013 16:00:15 -0400 Message-ID: <5241210.1FcFVX5v78@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-49-81.rdu2.redhat.com [10.10.49.81]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id r9TK0GO8024639 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Oct 2013 16:00:24 -0400 In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, October 29, 2013 03:39:35 PM leam hall wrote: > I'm trying to find a definition of "auid", besides "audit UID". If user Joe > with UID 1814 logs in and sudo to application account "british" which has a > UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an > "su -" to root, is their auid 0? auid is also known as the loginuid. its the account that you enter the system with. Since root is a shared accound amongst admins, you should also forbid logging in under root. The auid should never change during the life of your session. Which brings up another point. At login, you also get a session id (ses) which is also inherited by all processes in your session. This allows the audit system to disambiguate the actions of two simultaneous logins to the same account. -Steve