Daemon auditd - uid=root auid=unset ses=unset


New Member
Jul 22, 2022
Reaction score
Good evening, I'm doing research for my master's degree.

I must use auditd to audit everything that happens on the operating system.

There is in my scenario, a common user (foouser) who privilege elevation with su - or su (CentOS).

For example, when restarting a service I cannot identify (foouser), since the following appears in the audit log:

pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=servicex=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success'

If I check the logs in:


type=SERVICE_START msg=audit(1658524032.777:215728): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='servicex="systemd" exe="/usr/lib/systemd /systemd" hostname=? addr=? terminal=? res=success'

List the root user's AUID instead of foouser's.

I have found a workaround which is to add a rule about:

vim /etc/audit/rules.d/audit.rules

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=su_log

But I would like to find a way to change this behavior without adding custom rules.

Thank you very much for reading my query.

Best regards.

You can add rules without add them to /etc/audit/rules.d/audit.rules but they won't be persistent, so when the system reboots they will be gone.
Thanks for your answer.
A nonrepudiation environment can be created using sudo
As I use REDHAT I can't find how to use sudo as in DEBIAN (Distro Ubuntu).
In this way, it would guarantee that each user that enters is audited correctly and guarantee non-repudiation.
Is there about REDHAT to use a command similar to sudo avoiding elevating privileges using su - or su.?

Members online