While checking audit logs for failed logins, It was noticed that the AUID was one name and there was a UID of the user that failed login. The only thing we can figure is that the AUID user rebooted the system by logging in as himself and then using sudo to reboot the system prior to the fails. Are we correct in this assumption?
David Flatley "To err is human. To really screw up requires the root password." -UNKNOWN -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit