One challenge for audit - seeking ideas
LC Bruzenak
lenny at magitekltd.com
Mon Jun 9 15:53:45 UTC 2014
On 06/09/2014 04:39 AM, Burn Alting wrote:
> All,
>
> I am looking a ways to counter the situation where a user restarts a
> service and hence all that service's auditing events are attributed to
> the auid of the user who performed the restart.
>
> That is
>
> a. User logs into system (and pam sets auid)
> b. User su's or sudo's up to a service account (auid still the same).
> c. User restarts the service
> d. All audit events resulting from the service have the user's auid.
>
> At present I am looking at solution that front-end's the
> RHEL5/RHEL6 /sbin/service command which sets the auid via a
> audit_setloginuid() call and then execv's the service script and command
> arguments.
>
> I am interested in any other solutions that people may have implemented
> successfully. Especially for the systemd replacement, if it's been done.
>
> Regards
>
> Burn
>
>
Like run_init does (in the policy_coreutils rpm)?
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list