* Differentiating user activity from system activity
@ 2009-03-09 21:42 Matthew Booth
2009-03-10 15:52 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Matthew Booth @ 2009-03-09 21:42 UTC (permalink / raw)
To: linux-audit
In the broadest possible sense, including definitions of 'user activity'
and 'system activity', what schemes have people considered for the
above?
On other unixes, audit events have an associated 'terminal'. On the face
of it, this seems like a reasonable differentiator. I.e. a 'user'
process has a terminal, a 'system' process does not. Is this any good?
On Linux we don't record a terminal. How about a non-default auid? What
about system daemons restarted by an administrator? How about SELinux?
Your thoughts appreciated,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Differentiating user activity from system activity
2009-03-09 21:42 Differentiating user activity from system activity Matthew Booth
@ 2009-03-10 15:52 ` Steve Grubb
2009-03-10 18:05 ` Matthew Booth
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2009-03-10 15:52 UTC (permalink / raw)
To: linux-audit
On Monday 09 March 2009 05:42:09 pm Matthew Booth wrote:
> On Linux we don't record a terminal.
We do record terminal info in the tty & term fields. Additionally, if the auid
and ses fields are -1, you know its a process that was descended from init.
If they have something in them, then it was descended from a login session.
> What about system daemons restarted by an administrator?
They would inherit the admin's environment and identifiers.
> How about SELinux?
Not sure how this applies.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Differentiating user activity from system activity
2009-03-10 15:52 ` Steve Grubb
@ 2009-03-10 18:05 ` Matthew Booth
0 siblings, 0 replies; 3+ messages in thread
From: Matthew Booth @ 2009-03-10 18:05 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Tue, 2009-03-10 at 11:52 -0400, Steve Grubb wrote:
> On Monday 09 March 2009 05:42:09 pm Matthew Booth wrote:
> > On Linux we don't record a terminal.
>
> We do record terminal info in the tty & term fields. Additionally, if the auid
> and ses fields are -1, you know its a process that was descended from init.
> If they have something in them, then it was descended from a login session.
I should have made this clear: the principal target is RHEL 4, although
RHEL 5 features are worth noting. Do these fields exists in RHEL 5?
> > What about system daemons restarted by an administrator?
>
> They would inherit the admin's environment and identifiers.
Is that something you've ever given any thought to? This could be quite
problematic in a number of situations. I suspect SELinux would be the
answer here.
> > How about SELinux?
>
> Not sure how this applies.
This would be RHEL 5 only, but I was thinking something along the lines
of differentiating based on SELinux context.
Matt
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-03-10 18:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-09 21:42 Differentiating user activity from system activity Matthew Booth
2009-03-10 15:52 ` Steve Grubb
2009-03-10 18:05 ` Matthew Booth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox