Fwd: Re: Fw: Audit records for start/stop auditd
Klaus Weidner
klaus at atsec.com
Fri Apr 8 22:23:16 UTC 2005
On Fri, Apr 08, 2005 at 10:11:34PM +0100, David Woodhouse wrote:
> On Fri, 2005-04-08 at 12:10 -0500, Klaus Weidner wrote:
> > The pam_close_session record isn't required by CAPP, we had a discussion
> > about session end records some time ago. It's generally less reliable
> > than the start record anyway since the session close record doesn't mean
> > that all processes launched by that user have terminated; some may have
> > been backgrounded.
>
> One answer to this might be to assign a unique 'session id' cookie at
> login time, then store and log it with the loginuid at all times.
That's what the LAuS implementation did - it's not strictly CAPP required
but it's helpful for tracing back an arbitrary audit event record to the
corresponding login record that started the session.
It's in theory possible to do that without a session ID by tracing the
ancestry through records of fork() syscalls, but that's a lot more work
and needs an uninterrupted audit trail of all intervening fork()s.
-Klaus
More information about the Linux-audit
mailing list