auid?

[Steve Grubb]

On Tuesday, October 29, 2013 03:39:35 PM leam hall wrote:
> I'm trying to find a definition of "auid", besides "audit UID". If user Joe
> with UID 1814 logs in and sudo to application account "british" which has a
> UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an
> "su -" to root, is their auid 0?

auid is also known as the loginuid. its the account that you enter the system 
with. Since root is a shared accound amongst admins, you should also forbid 
logging in under root. The auid should never change during the life of your 
session. Which brings up another point. At login, you also get a session id 
(ses) which is also inherited by all processes in your session. This allows 
the audit system to disambiguate the actions of two simultaneous logins to the 
same account.

-Steve