One challenge for audit - seeking ideas
Steve Grubb
sgrubb at redhat.com
Mon Jun 9 20:17:50 UTC 2014
On Monday, June 09, 2014 07:39:26 PM Burn Alting wrote:
> I am looking a ways to counter the situation where a user restarts a
> service and hence all that service's auditing events are attributed to
> the auid of the user who performed the restart.
>
> That is
>
> a. User logs into system (and pam sets auid)
> b. User su's or sudo's up to a service account (auid still the same).
> c. User restarts the service
> d. All audit events resulting from the service have the user's auid.
>
> At present I am looking at solution that front-end's the
> RHEL5/RHEL6 /sbin/service command which sets the auid via a
> audit_setloginuid() call and then execv's the service script and command
> arguments.
>
> I am interested in any other solutions that people may have implemented
> successfully. Especially for the systemd replacement, if it's been done.
On older sysvinit systems, you could also plumb upstart to do service starts
via its dbus/socket kind of the same way telinit communicates with it. I think
upstream made this work a long time ago. Stopping a service should be left as
is.
-Steve
More information about the Linux-audit
mailing list