Handling disk full & No Kernel resources
Steve Grubb
sgrubb at redhat.com
Thu Jan 6 04:22:04 UTC 2005
On Wednesday 05 January 2005 18:49, Casey Schaufler wrote:
> inetd (or xinetd if you're living in the 21st
> century) must set the audit flags for the child
> process it spawns, as well as the audit user id.
What flags? Can you give me a concrete example? All xinetd children share the
same session ID unless they set their own. I don't know of any program that
sets its own that is xinetd friendly. Therefore, you can track items of
interest by being able to audit based on the session ID or process group ID.
> xinetd invokes a child to perform an action on a
> user's behalf, which means that the action must be
> audited as that user is audited.
Only sometimes. For example, you could have a daytime service and the user
requesting time isn't known because ident isn't running on the other end.
Now, if you have telnet, ssh, or ftp being started by xinetd, the child will
know who the user is (since they had to say who they are and provide a
password) and if you are using a pamified version, the pam_audit module can
set the login id. But to be able to track *any* xinetd child, you need to
follow the session ID or process group ID. This is missing from the current
implementation.
-Steve Grubb
More information about the Linux-audit
mailing list