From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auid of a script started by a daemon process.
Date: Mon, 20 Feb 2017 12:04:11 -0500
Message-ID: <1652043.Wr1xMlEZqN@x2>
References: <p7_GGm5wq4m_TUcXbvXPYINGgm5JOKFDgKdoXVftAh6LWjcOcWsejFJVkFzLQPXMuEZZkUIECN0EAyJkLfek-nUBzZZz19nCg36tnSe5XwU=@protonmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <p7_GGm5wq4m_TUcXbvXPYINGgm5JOKFDgKdoXVftAh6LWjcOcWsejFJVkFzLQPXMuEZZkUIECN0EAyJkLfek-nUBzZZz19nCg36tnSe5XwU=@protonmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, Kaptaan <kaptaan@protonmail.com>
List-Id: linux-audit@redhat.com

On Monday, February 20, 2017 11:50:31 AM EST Kaptaan wrote:
> Hello All,
> I have recently been introduced to linux security. After going through man
> pages and some posts, I believe I have configured and setup my audit rules
> correctly. My need is to monitor and log access to all files in certain
> directories. The problem.
> Application1 - I log in using my id <user1>. I sudo to <super_user1> and
> start the application. The application starts a few daemon process owned by
> <super_user1>.
> 
> User2 - uses the application to access the files (through some script). The
> script is actually executed by the application's daemon process.
> 
> The auid shown in the audit logs is always my id <user1> for all audit
> events.

Yes. This sounds like a problem. The auid is the mechanism to track who the 
person is no matter who they sudo/su to. The uid is the transient id of the 
user that changes with whatever account they are currently using.

Daemons have an auid of (unsigned int)-1. I think that to fix the issue, you 
need your daemons started by themselves and not from your account. With 
systemd its pretty easy. From a SysVinit based system...its not fixable.

The auid is set on login and is inherited by each process that gets started in 
your session. With systemd, when you start a daemon a message goes across dbus 
and systemd forks and execs the daemon. The auid is -1. On sysVinit systems, 
you run the init script in your session so the daemon picks up your auid.


> So I started capturing the uid from the logs which shows <user2>.
> 
> Now user2 is smart, he/she sudo to <super_user2> and then runs the same
> script to access the files. This time the auid is shown as my user <user1>
> and the uid, euid is always shown as <super_user2>.
> 
> Is there a way I can get the auid of the person who started the script even
> after he/she sudoes to another user?

It is the auid.

-Steve

> Any help/suggestion is much appreciated.
> 
> Thanks,
> Amit.