systemd daemon and auid
Steve Grubb
sgrubb at redhat.com
Wed Apr 7 13:23:01 UTC 2021
On Wednesday, April 7, 2021 3:20:22 AM EDT MAUPERTUIS, PHILIPPE wrote:
> I understand that daemons started by systemd have a uid -1.
> For a specific daemon, I would like to have a different auid to trace what
> the daemon is doing. By having a distinct auid it would be monitored
> without specific rules. Is that possible ?
While it may be possible, that violates how the audit system was designed to
operate. Setting the loginuid also sets the session ID. The utilities look
for those events to determine that a login has occurred and then track that.
> Otherwise what would be the best way to monitor a specific daemon ?
There is auditing by application.
-a always,exit -F exe=/usr/sbin/httpd -F arch=b64 -S open,openat, ...
-Steve
More information about the Linux-audit
mailing list