AUID question
Steve Grubb
sgrubb at redhat.com
Fri Nov 14 15:26:26 UTC 2014
On Friday, November 14, 2014 10:16:12 AM David Flatley wrote:
> While checking audit logs for failed logins, It was noticed that the
> AUID was one name and there was a UID of the user that failed login. The
> only thing we can figure is that the AUID user rebooted the system
> by logging in as himself and then using sudo to reboot the system prior to
> the fails. Are we correct in this assumption?
Maybe. If the auid was someone with admin powers, they might have restarted a
daemon which would insert their auid into the daemon and then cause other
user's logins to be wrong. But generally when auid!=uid, then they have used
sudo or su.
-Steve
More information about the Linux-audit
mailing list