One challenge for audit - seeking ideas
Burn Alting
burn at swtf.dyndns.org
Mon Jun 9 09:39:26 UTC 2014
All,
I am looking a ways to counter the situation where a user restarts a
service and hence all that service's auditing events are attributed to
the auid of the user who performed the restart.
That is
a. User logs into system (and pam sets auid)
b. User su's or sudo's up to a service account (auid still the same).
c. User restarts the service
d. All audit events resulting from the service have the user's auid.
At present I am looking at solution that front-end's the
RHEL5/RHEL6 /sbin/service command which sets the auid via a
audit_setloginuid() call and then execv's the service script and command
arguments.
I am interested in any other solutions that people may have implemented
successfully. Especially for the systemd replacement, if it's been done.
Regards
Burn
More information about the Linux-audit
mailing list