On Wednesday, September 15, 2021 8:29:08 AM EDT Richard Guy Briggs wrote: > I was in the middle of reviewing the v2 patchset to add my acks when I > forgot to add the comment that you still haven't convinced me that ses= > isn't needed or relevant if we are including auid=.
The session id is needed to disambiguate which login the event belongs to. It is necessary sometimes to trace an event back to the login because it was a remote login from an unexpected IP address. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
