Setting loginuid for a process starting at boot
Steve Grubb
sgrubb at redhat.com
Tue Jan 14 14:33:48 UTC 2014
On Tuesday, January 14, 2014 02:13:45 PM Maupertuis Philippe wrote:
> Auditctl -e wont probably go unnoticed while an inconspicuous echo probably
> would.
Both are auditable events as required by common criteria. Changes to auditing
must produce an event as well as the assignment of loginuids. This is
automatic and not caused by a rule.
> Is there a rule to track this action without overloading the system?
Changes to audit state are auditable events. You can test this yourself with
auditctl and ausearch.
> Alternatively, is a post mortem analysis viable ?
yes.
> I was thinking of finding process in the audit.log whose loginuid differs
> from parent's loginuid. Is there a way to extract information and reformat
> the result (to keep process pid ppid loginuid for example) ?
You can write a utility using the auparse library to do anything you want it
to do.
https://fedorahosted.org/audit/browser/trunk/tools/aulastlog/aulastlog.c
The aulastlog program is probably a decent starting point to create something
like this. Instead of keeping uid, you'd be keeping pids and some attributes
of them. My guess is that you'll have long running processes that are not in
the logs and you'll have some unknowns.
-Steve
More information about the Linux-audit
mailing list