auid field when switching user

Burn Alting burn at swtf.dyndns.org
Wed May 6 22:13:44 UTC 2015 

On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote:
> Hello,
> 
> On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> > I'm trying to use auditd to log all actions made by the users on the
> > system. This part works fine.
> > 
> > The documentation mention the "auid" field to identify the user from the
> > first connection "even" when the user's identity changes (like with a su):
> 
> Correct.
> 
> > auid=500
> > The auid field records the Audit user ID, that is the loginuid. This ID is
> > assigned to a user upon login and is inherited by every process even when
> > the user's identity changes (for example, by switching user accounts with
> > the su - john command).
> > 
> > But this is not working. If I log with the user "test" (uid 1000) when I
> > switch to the user root, the value of auid is 0 (the uid of root).
> 
> How did you switch the user? I would like to try recreating the issue. It may 
> be that the underlying implementation actually does log you out. You'd have to 
> look for one of:
> 
> AUDIT_USER_LOGOUT -  User has logged out
> AUDIT_USER_END - User session end
> AUDIT_CRED_DISP - User credential disposed
>

Perhaps pam_loginuid hasn't been applied
in /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat}

When searching for the module, do you see something like
        # grep pam_loginuid /etc/pam.d/*
        /etc/pam.d/atd:session    required    pam_loginuid.so
        /etc/pam.d/crond:session    required   pam_loginuid.so
        /etc/pam.d/gdm:session    required    pam_loginuid.so
        /etc/pam.d/gdm-autologin:session    required    pam_loginuid.so
        /etc/pam.d/gdm-fingerprint:session     required
        pam_loginuid.so
        /etc/pam.d/gdm-password:session     required
        pam_loginuid.so
        /etc/pam.d/login:session    required     pam_loginuid.so
        /etc/pam.d/remote:session    required     pam_loginuid.so
        /etc/pam.d/sshd:session    required     pam_loginuid.so
        /etc/pam.d/ssh-keycat:session    required     pam_loginuid.so
        #

If not, then read up on how to use required pam modules.

> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list