Audit of physical users
Steve Grubb
sgrubb at redhat.com
Tue Sep 3 21:04:10 UTC 2013
On Monday, September 02, 2013 02:49:28 PM Maupertuis Philippe wrote:
> I have a requirement to trace the activity of the physical users on Redhat
> 5/6 systems. I spent the last week sifting through the archive to find
> that the question was asked time and again. The basic rule is easy but the
> hitch is when an administrator restarts a service. Unfortunately, it seems
> there is no solution until systemd is used to start daemon instead of
> service.
Depending on how ambitious you are, you can write a little C program that
opens /proc/self/loginuid and writes -1, then close, and execve the intended
program. You will still have a sessionid that is not -1, but you have a
solution. At the same time, it also means that admins could use the same tool
to bypass audit rules. So, you'd probably want to think about it a bit.
> The only useful thing I found was in this old post from 2007
> http://www.redhat.com/archives/linux-audit/2007-February/msg00071.html to
> reset the auid. I would like to know if it can be used with the current
> version of auditd.
Probably, but you don't really need to link against libaudit. If you looked at
the source to audit_setloginuid(), its just open /proc/self/loginuid and
writing to it.
> If yes, I will probably give it a try with a fixed
> dedicated auid to clearly state that the auid was changed. Do I need to
> install something besides audit and audit-libs ?
> Is there any special need, for compiling this program ?
I'd simplify.
-Steve
More information about the Linux-audit
mailing list