From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit of physical users Date: Tue, 03 Sep 2013 17:04:10 -0400 Message-ID: <2217910.2QUQCy6Liz@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Maupertuis Philippe List-Id: linux-audit@redhat.com On Monday, September 02, 2013 02:49:28 PM Maupertuis Philippe wrote: > I have a requirement to trace the activity of the physical users on Redhat > 5/6 systems. I spent the last week sifting through the archive to find > that the question was asked time and again. The basic rule is easy but the > hitch is when an administrator restarts a service. Unfortunately, it seems > there is no solution until systemd is used to start daemon instead of > service. Depending on how ambitious you are, you can write a little C program that opens /proc/self/loginuid and writes -1, then close, and execve the intended program. You will still have a sessionid that is not -1, but you have a solution. At the same time, it also means that admins could use the same tool to bypass audit rules. So, you'd probably want to think about it a bit. > The only useful thing I found was in this old post from 2007 > http://www.redhat.com/archives/linux-audit/2007-February/msg00071.html to > reset the auid. I would like to know if it can be used with the current > version of auditd. Probably, but you don't really need to link against libaudit. If you looked at the source to audit_setloginuid(), its just open /proc/self/loginuid and writing to it. > If yes, I will probably give it a try with a fixed > dedicated auid to clearly state that the auid was changed. Do I need to > install something besides audit and audit-libs ? > Is there any special need, for compiling this program ? I'd simplify. -Steve