From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: A scriptable utility for setting auid
Date: Sun, 25 Feb 2007 18:17:42 -0500
Message-ID: <200702251817.42438.sgrubb@redhat.com>
References: <1172006965.3947.14.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1172006965.3947.14.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 20 February 2007 16:29:25 Matthew Booth wrote:
> I needed a way to exclude a very large class of audit traffic [1] in
> RHEL 4. It occurred to me that if I could launch a process and give it
> the auid of a dedicated user, I could easily filter it out along with
> all child processes. With this in mind I wrote the attached simple
> wrapper round the audit_setloginuid. It sets its own auid to whatever
> you give it, then execs a command.

In general, I don't like the theory that this operates under. It could be 
abused and then the audit trail coerced. Could you not achieve this by making 
the apps set gid and filtering on the group?

-Steve