Thank you ! I think you point the "missing". My first try was on debian wheezy. Now I try on debian jessie. With jessie, all requirements seems presents and the field auid has the right value !
type=SYSCALL msg=audit(1430989253.292:23716): arch=c000003e syscall=59 success=yes exit=0 a0=940b68 a1=a1aba8 a2=a1c008 a3=7ffd2d4978f0 items=2 ppid=16848 pid=16864 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=39 comm="ps" exe="/bin/ps" key="auditcmd" type=EXECVE msg=audit(1430989253.292:23716): argc=1 a0="ps" type=CWD msg=audit(1430989253.292:23716): cwd="/etc/pam.d" type=PATH msg=audit(1430989253.292:23716): item=0 name="/bin/ps" inode=420 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1430989253.292:23716): item=1 name=(null) inode=1478 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PROCTITLE msg=audit(1430989253.292:23716): proctitle="ps" Thank you for your help ! -- Guillaume On Thu, May 7, 2015 at 12:13 AM, Burn Alting <[email protected]> wrote: > On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote: > > Hello, > > > > On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > > > I'm trying to use auditd to log all actions made by the users on the > > > system. This part works fine. > > > > > > The documentation mention the "auid" field to identify the user from > the > > > first connection "even" when the user's identity changes (like with a > su): > > > > Correct. > > > > > auid=500 > > > The auid field records the Audit user ID, that is the loginuid. This > ID is > > > assigned to a user upon login and is inherited by every process even > when > > > the user's identity changes (for example, by switching user accounts > with > > > the su - john command). > > > > > > But this is not working. If I log with the user "test" (uid 1000) when > I > > > switch to the user root, the value of auid is 0 (the uid of root). > > > > How did you switch the user? I would like to try recreating the issue. > It may > > be that the underlying implementation actually does log you out. You'd > have to > > look for one of: > > > > AUDIT_USER_LOGOUT - User has logged out > > AUDIT_USER_END - User session end > > AUDIT_CRED_DISP - User credential disposed > > > > Perhaps pam_loginuid hasn't been applied > in > /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat} > > When searching for the module, do you see something like > # grep pam_loginuid /etc/pam.d/* > /etc/pam.d/atd:session required pam_loginuid.so > /etc/pam.d/crond:session required pam_loginuid.so > /etc/pam.d/gdm:session required pam_loginuid.so > /etc/pam.d/gdm-autologin:session required pam_loginuid.so > /etc/pam.d/gdm-fingerprint:session required > pam_loginuid.so > /etc/pam.d/gdm-password:session required > pam_loginuid.so > /etc/pam.d/login:session required pam_loginuid.so > /etc/pam.d/remote:session required pam_loginuid.so > /etc/pam.d/sshd:session required pam_loginuid.so > /etc/pam.d/ssh-keycat:session required pam_loginuid.so > # > > If not, then read up on how to use required pam modules. > > > > > -Steve > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
