Auditing only when auid and uid differ
Steve Grubb
sgrubb at redhat.com
Wed Oct 9 16:43:20 UTC 2013
On Wednesday, October 09, 2013 06:28:49 PM Maupertuis Philippe wrote:
> I want to track what people are doing when then change their userid.
> Basically I would like to write :
> -a exit,never -F arch=b32 -S all -F auid=4294967295
> -a exit,never -F arch=b64 -S all -F auid=4294967295
> -a exit,always -F arch=b32 -S all -F auid>1000 -F uid!=auid -k userchange
> -a exit,always -F arch=b64 -S all -F auid>1000 -F uid!=auid -k userchange
>
> However it seems that it's not a valid syntax.
> Is there a way to achieve that.
Yes there is. It requires a newish kernel and user space. But the rules are like this:
-a always,exit -F arch=b32 -S all -F auid!=4294967295 -C auid!=uid
-a exit,always -F arch=b32 -S all -F auid>1000 -F auid!=4294967295 -C auid!=uid -k userchange
And the same for b64.
-Steve
More information about the Linux-audit
mailing list