On Friday, November 14, 2014 10:16:12 AM David Flatley wrote: > While checking audit logs for failed logins, It was noticed that the > AUID was one name and there was a UID of the user that failed login. The > only thing we can figure is that the AUID user rebooted the system > by logging in as himself and then using sudo to reboot the system prior to > the fails. Are we correct in this assumption?
Maybe. If the auid was someone with admin powers, they might have restarted a daemon which would insert their auid into the daemon and then cause other user's logins to be wrong. But generally when auid!=uid, then they have used sudo or su. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit