From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: A scriptable utility for setting auid Date: Sun, 25 Feb 2007 23:35:51 +0000 Message-ID: <1172446551.3934.10.camel@localhost.localdomain> References: <1172006965.3947.14.camel@localhost.localdomain> <200702251817.42438.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1912159164==" Return-path: In-Reply-To: <200702251817.42438.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1912159164== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-YH/NZO1d1ELdz1Izrn4R" --=-YH/NZO1d1ELdz1Izrn4R Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sun, 2007-02-25 at 18:17 -0500, Steve Grubb wrote: > On Tuesday 20 February 2007 16:29:25 Matthew Booth wrote: > > I needed a way to exclude a very large class of audit traffic [1] in > > RHEL 4. It occurred to me that if I could launch a process and give it > > the auid of a dedicated user, I could easily filter it out along with > > all child processes. With this in mind I wrote the attached simple > > wrapper round the audit_setloginuid. It sets its own auid to whatever > > you give it, then execs a command. >=20 > In general, I don't like the theory that this operates under. It could be= =20 > abused and then the audit trail coerced. Could you not achieve this by ma= king=20 > the apps set gid and filtering on the group? The utility doesn't create the ability to set an arbitrary auid, it just uses it. Any user who can use the utility could also execute any other snippet of code which does the same thing. This is mitigated by the fact that it generates a login event, which is audited. My goal is not to create a system which cannot be circumvented, just to make it obvious that it has been circumvented and by whom. When it comes to Oracle and WebLogic, you can only work with what you are given. The customer is already concerned at the Oracle support response to prepending my utility to the entries in inittab, even though this is a non-functional change from Oracle's POV. Altering the operation of Oracle would be completely out of the question. Matt --=20 Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --=-YH/NZO1d1ELdz1Izrn4R Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBF4h1XNEHqGdM8NJARAn++AJ9uS5/fKKX1htBC8vOCTVyfssYAPACfVfE9 HZlX72bcnlypcGkNtFeQYJ8= =f+kN -----END PGP SIGNATURE----- --=-YH/NZO1d1ELdz1Izrn4R-- --===============1912159164== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1912159164==--