auid of a script started by a daemon process.

[Steve Grubb]

On Monday, February 20, 2017 11:50:31 AM EST Kaptaan wrote:
> Hello All,
> I have recently been introduced to linux security. After going through man
> pages and some posts, I believe I have configured and setup my audit rules
> correctly. My need is to monitor and log access to all files in certain
> directories. The problem.
> Application1 - I log in using my id <user1>. I sudo to <super_user1> and
> start the application. The application starts a few daemon process owned by
> <super_user1>.
> 
> User2 - uses the application to access the files (through some script). The
> script is actually executed by the application's daemon process.
> 
> The auid shown in the audit logs is always my id <user1> for all audit
> events.

Yes. This sounds like a problem. The auid is the mechanism to track who the 
person is no matter who they sudo/su to. The uid is the transient id of the 
user that changes with whatever account they are currently using.

Daemons have an auid of (unsigned int)-1. I think that to fix the issue, you 
need your daemons started by themselves and not from your account. With 
systemd its pretty easy. From a SysVinit based system...its not fixable.

The auid is set on login and is inherited by each process that gets started in 
your session. With systemd, when you start a daemon a message goes across dbus 
and systemd forks and execs the daemon. The auid is -1. On sysVinit systems, 
you run the init script in your session so the daemon picks up your auid.


> So I started capturing the uid from the logs which shows <user2>.
> 
> Now user2 is smart, he/she sudo to <super_user2> and then runs the same
> script to access the files. This time the auid is shown as my user <user1>
> and the uid, euid is always shown as <super_user2>.
> 
> Is there a way I can get the auid of the person who started the script even
> after he/she sudoes to another user?

It is the auid.

-Steve

> Any help/suggestion is much appreciated.
> 
> Thanks,
> Amit.