Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 366

auid
The audit ID. A process is given an audit ID on user login. This ID is then handed
down to any child process started by the initial process of the user. Even if the user
changes his identity (for example, becomes root), the audit ID stays the same.
Thus you can always trace actions to the original user who logged in.
uid
The user ID of the user who started the process. In this case, 0 for root.
gid
The group ID of the user who started the process. In this case, 0 for root.
euid, suid, fsuid
Effective user ID, set user ID, and file system user ID of the user that started the
process.
egid, sgid, fsgid
Effective group ID, set group ID, and file system group ID of the user that started
the process.
tty
The terminal from which the application is started. In this case, a pseudoterminal
used in an SSH session.
ses
The login session ID. This process attribute is set when a user logs in and can tie
any process to a particular user login.
comm
The application name under which it appears in the task list.
exe
The resolved pathname to the binary program.
subj
auditd records whether the process is subject to any security context, such as
AppArmor. unconstrained, as in this case, means that the process is not con-
fined with AppArmor. If the process had been confined, the binary pathname plus
the AppArmor profile mode would have been logged.
354 Security Guide