auid of a script started by a daemon process.
Kaptaan
kaptaan at protonmail.com
Mon Feb 20 16:50:31 UTC 2017
Hello All,
I have recently been introduced to linux security. After going through man pages and some posts, I believe I have configured and setup my audit rules correctly. My need is to monitor and log access to all files in certain directories.
The problem.
Application1 - I log in using my id <user1>. I sudo to <super_user1> and start the application.
The application starts a few daemon process owned by <super_user1>.
User2 - uses the application to access the files (through some script). The script is actually executed by the application's daemon process.
The auid shown in the audit logs is always my id <user1> for all audit events.
So I started capturing the uid from the logs which shows <user2>.
Now user2 is smart, he/she sudo to <super_user2> and then runs the same script to access the files. This time the auid is shown as my user <user1> and the uid, euid is always shown as <super_user2>.
Is there a way I can get the auid of the person who started the script even after he/she sudoes to another user?
Any help/suggestion is much appreciated.
Thanks,
Amit.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170220/5ef61547/attachment.htm>
More information about the Linux-audit
mailing list