From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, Kaptaan <kaptaan@protonmail.com>
Subject: Re: auid of a script started by a daemon process.
Date: Mon, 20 Feb 2017 12:04:11 -0500 [thread overview]
Message-ID: <1652043.Wr1xMlEZqN@x2> (raw)
In-Reply-To: <p7_GGm5wq4m_TUcXbvXPYINGgm5JOKFDgKdoXVftAh6LWjcOcWsejFJVkFzLQPXMuEZZkUIECN0EAyJkLfek-nUBzZZz19nCg36tnSe5XwU=@protonmail.com>
On Monday, February 20, 2017 11:50:31 AM EST Kaptaan wrote:
> Hello All,
> I have recently been introduced to linux security. After going through man
> pages and some posts, I believe I have configured and setup my audit rules
> correctly. My need is to monitor and log access to all files in certain
> directories. The problem.
> Application1 - I log in using my id <user1>. I sudo to <super_user1> and
> start the application. The application starts a few daemon process owned by
> <super_user1>.
>
> User2 - uses the application to access the files (through some script). The
> script is actually executed by the application's daemon process.
>
> The auid shown in the audit logs is always my id <user1> for all audit
> events.
Yes. This sounds like a problem. The auid is the mechanism to track who the
person is no matter who they sudo/su to. The uid is the transient id of the
user that changes with whatever account they are currently using.
Daemons have an auid of (unsigned int)-1. I think that to fix the issue, you
need your daemons started by themselves and not from your account. With
systemd its pretty easy. From a SysVinit based system...its not fixable.
The auid is set on login and is inherited by each process that gets started in
your session. With systemd, when you start a daemon a message goes across dbus
and systemd forks and execs the daemon. The auid is -1. On sysVinit systems,
you run the init script in your session so the daemon picks up your auid.
> So I started capturing the uid from the logs which shows <user2>.
>
> Now user2 is smart, he/she sudo to <super_user2> and then runs the same
> script to access the files. This time the auid is shown as my user <user1>
> and the uid, euid is always shown as <super_user2>.
>
> Is there a way I can get the auid of the person who started the script even
> after he/she sudoes to another user?
It is the auid.
-Steve
> Any help/suggestion is much appreciated.
>
> Thanks,
> Amit.
next prev parent reply other threads:[~2017-02-20 17:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-20 16:50 auid of a script started by a daemon process Kaptaan
2017-02-20 17:04 ` Steve Grubb [this message]
2017-02-20 18:24 ` Kaptaan
2017-02-20 19:18 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1652043.Wr1xMlEZqN@x2 \
--to=sgrubb@redhat.com \
--cc=kaptaan@protonmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.