Audit allows you to consistently track a user's actions from login right through logout no matter which identities this user might adopt in the meantime. Audit does so by using audit IDs that are created upon login and handed down to any child process of the original login process. To enable this special feature of audit, you need to modify the PAM configuration of several components (login, sshd, gdm, crond, atd).
To adjust the PAM configuration to enable audit IDs, proceed as follows:
Log in as root.
Open the PAM configuration file for the application—/etc/pam.d/application— and add the following line before the common-session line:
session required pam_loginuid.so session include common-session
Apply your changes and close the configuration file.
The changes in PAM configuration take effect as soon as the application is called again, for example, login, sshd, and the display managers log with an audit ID at the next login.