Dropping auid for daemons started via sudo
Konstantin Ryabitsev
icon at fedoraproject.org
Mon May 17 13:32:15 UTC 2010
Hello:
I'm dealing with a set of machines with unrestricted sudo for admins
("sudo -s"). It's not something I can immediately change (though I'm
working toward a more restrictive attitude and policy). I'm trying to
at least do some auditing via the following audit rule:
-a always,exit -F arch=b32 -S execve -F uid=0 -F auid>=500 -F
auid!=4294967295 -k privileged
-a always,exit -F arch=b64 -S execve -F uid=0 -F auid>=500 -F
auid!=4294967295 -k privileged
It mostly does the right thing, except for cases when an admin logs in
and restarts a service. If it's running a privileged process, that
process will have an auid of the user that last ran "service foo
restart".
Is there a way to drop auid for services restarted by individual
admins? I'm not sure if run_init does it, but I can't use it anyway
because selinux is disabled on those machines.
Thanks for any advice.
Regards,
--
McGill University IT Security
Konstantin "Kay" Ryabitsev
Montréal, Québec
More information about the Linux-audit
mailing list