Re: Audit of physical users

[Steve Grubb <sgrubb@redhat.com>]

On Monday, September 02, 2013 02:49:28 PM Maupertuis Philippe wrote:
> I have a requirement to trace the activity of the physical users on  Redhat
> 5/6 systems. I spent the last week sifting through  the archive to find
> that the question was asked time and again. The basic rule is easy but the
> hitch is when an administrator restarts a service. Unfortunately, it seems
> there is no solution until systemd is used to start daemon instead of
> service.

Depending on how ambitious you are, you can write a little C program that 
opens /proc/self/loginuid and writes -1, then close, and execve the intended 
program. You will still have a sessionid that is not -1, but you have a 
solution. At the same time, it also means that admins could use the same tool 
to bypass audit rules. So, you'd probably want to think about it a bit.

> The only useful thing I found was in this old post from 2007
> http://www.redhat.com/archives/linux-audit/2007-February/msg00071.html to
> reset the auid. I would like to know if it can be used with the current
> version of auditd.

Probably, but you don't really need to link against libaudit. If you looked at 
the source to audit_setloginuid(), its just open /proc/self/loginuid and 
writing to it.

> If yes, I will probably give it a try with a fixed
> dedicated auid to clearly state that the auid was changed. Do I need to
> install something besides audit and audit-libs ?
> Is there any special need, for compiling this program ?

I'd simplify.

-Steve