From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: A scriptable utility for setting auid Date: Tue, 20 Feb 2007 21:29:25 +0000 Message-ID: <1172006965.3947.14.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1427636258==" Return-path: Received: from [192.168.1.8] (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id l1KLTNXI001308 for ; Tue, 20 Feb 2007 21:29:30 GMT List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit List-Id: linux-audit@redhat.com --===============1427636258== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-gCL5o/Ecv9CuoPnJhyXB" --=-gCL5o/Ecv9CuoPnJhyXB Content-Type: multipart/mixed; boundary="=-cP2AOpT/QCOzAdRN/brn" --=-cP2AOpT/QCOzAdRN/brn Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I needed a way to exclude a very large class of audit traffic [1] in RHEL 4. It occurred to me that if I could launch a process and give it the auid of a dedicated user, I could easily filter it out along with all child processes. With this in mind I wrote the attached simple wrapper round the audit_setloginuid. It sets its own auid to whatever you give it, then execs a command. I'm assuming that this would be better achieved in RHEL 5 using selinux context filtering. However, I hope to use this tool to achieve useful auditing on an Oracle RAC node on RHEL 4. Matt [1] It turns out that Oracle CSSD, which maintains cluster membership, is a somewhat retarded shell script. Amongst many other things, it execs both bash and awk about 8 times per second. --=20 Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-cP2AOpT/QCOzAdRN/brn Content-Disposition: attachment; filename=ausetauid.c Content-Type: text/x-csrc; name=ausetauid.c; charset=UTF-8 Content-Transfer-Encoding: base64 LyoNCiAqIGF1c2V0YXVpZDogQSB1dGlsaXR5IHRvIGNyZWF0ZSBhIG5ldyBwcm9jZXNzIHdpdGgg YSBzcGVjaWZpZWQgYXVpZC4NCiAqDQogKiBhdXNldGF1aWQgaXMgYSBjb252ZW5pZW50IHdyYXBw ZXIgcm91bmQgdGhlIGF1ZGl0X3NldGxvZ2ludWlkIGZ1bmN0aW9uLiBJdCBpcw0KICogY2FsbGVk IGFzOg0KICoNCiAqIGF1c2V0YXVpZCA8YXVkaXQgdXNlcj4gPGNvbW1hbmQ+IFs8YXJndW1lbnRz IC4uLj5dDQogKg0KICogSXQgc2V0cyBpdHMgYXVpZCB0byB0aGUgdWlkIG9mIDxhdWRpdCB1c2Vy PiwgdGhlbiBleGVjcyA8Y29tbWFuZD4sIHBhc3NpbmcNCiAqIGFueSBhcmd1bWVudHMgc3BlY2lm aWVkLiBUaGUgYXVkaXRfc2V0bG9naW51aWQgY2FsbCByZXN1bHRzIGluIGEgTE9HSU4gYXVkaXQN CiAqIHJlY29yZCBiZWluZyBjcmVhdGVkLg0KICoNCiAqIE1hdHRoZXcgQm9vdGggPG1ib290aEBy ZWRoYXQuY29tPiAtIDIwLzAyLzIwMDcNCiAqLw0KDQojaW5jbHVkZSA8cHdkLmg+DQojaW5jbHVk ZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDx1bmlzdGQuaD4N Cg0KI2luY2x1ZGUgPGxpYmF1ZGl0Lmg+DQoNCi8qIEZ1bmN0aW9uIHByb3RvdHlwZXMgKi8NCnN0 YXRpYyB2b2lkIF9fYXR0cmlidXRlX18oKG5vbm51bGwpKQ0KICAgICAgIGRpc3BsYXlfdXNhZ2Uo Y29uc3QgY2hhciAqIGNvbnN0IGV4ZW5hbWUpOw0Kc3RhdGljIGludCBfX2F0dHJpYnV0ZV9fKChu b25udWxsKSkNCiAgICAgICBzZXRfYXVkaXRfdXNlcihjb25zdCBjaGFyICogY29uc3QgdXNlcm5h bWUpOw0KDQppbnQgbWFpbihjb25zdCBpbnQgYXJnYywgY2hhciAqY29uc3QgYXJndltdKQ0Kew0K ICAgIGludCByZXR2YWw7DQoNCiAgICBpZihhcmdjIDwgMykgew0KICAgICAgICBkaXNwbGF5X3Vz YWdlKGFyZ3ZbMF0pOw0KICAgICAgICByZXR1cm4gMTsNCiAgICB9DQoNCiAgICByZXR2YWwgPSBz ZXRfYXVkaXRfdXNlcihhcmd2WzFdKTsNCiAgICBpZihyZXR2YWwgIT0gMCkgew0KICAgICAgICBy ZXR1cm4gcmV0dmFsOw0KICAgIH0NCg0KICAgIGV4ZWN2KGFyZ3ZbMl0sIGFyZ3YgKyAyKTsNCg0K ICAgIGZwcmludGYoc3RkZXJyLCAiRmFpbGVkIHRvIGV4ZWN1dGUgJXM6ICVtXG4iLCBhcmd2WzJd KTsNCiAgICByZXR1cm4gMTsNCn0NCg0Kc3RhdGljIHZvaWQgZGlzcGxheV91c2FnZShjb25zdCBj aGFyICogY29uc3QgZXhlbmFtZSkNCnsNCiAgICBmcHJpbnRmKHN0ZGVyciwgIlVzYWdlOiAlcyA8 YXVkaXQgdXNlcj4gIg0KICAgICAgICAgICAgICAgICAgICAiPGNvbW1hbmQ+IFs8YXJndW1lbnRz IC4uLj5dXG4iLCBleGVuYW1lKTsNCn0NCg0Kc3RhdGljIGludCBzZXRfYXVkaXRfdXNlcihjb25z dCBjaGFyICogY29uc3QgdXNlcm5hbWUpDQp7DQogICAgc3RydWN0IHBhc3N3ZCAqcHdkID0gTlVM TDsNCg0KICAgIHB3ZCA9IGdldHB3bmFtKHVzZXJuYW1lKTsNCiAgICBpZihOVUxMID09IHB3ZCkg ew0KICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIiVzIGlzIG5vdCBhIHZhbGlkIHVzZXJuYW1lXG4i LCB1c2VybmFtZSk7DQogICAgICAgIHJldHVybiAxOw0KICAgIH0NCg0KICAgIGlmKGF1ZGl0X3Nl dGxvZ2ludWlkKHB3ZC0+cHdfdWlkKSAhPSAwKSB7DQogICAgICAgIGZwcmludGYoc3RkZXJyLCAi RmFpbGVkIHRvIGNoYW5nZSBhdWRpdCBsb2dpbiB1aWRcbiIpOw0KICAgICAgICByZXR1cm4gMTsN CiAgICB9DQoNCiAgICByZXR1cm4gMDsNCn0NCg== --=-cP2AOpT/QCOzAdRN/brn-- --=-gCL5o/Ecv9CuoPnJhyXB Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBF22g1NEHqGdM8NJARAuGvAJ9hBSRFa2QlsIC+GoA1OicMI9znYgCfX3wl GyUtPpPUt9BOQABYQg2QVJs= =Yslr -----END PGP SIGNATURE----- --=-gCL5o/Ecv9CuoPnJhyXB-- --===============1427636258== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1427636258==--