auid of a script started by a daemon process.

auid of a script started by a daemon process.

[Kaptaan]

[-- Attachment #1.1: Type: text/plain, Size: 1145 bytes --]

Hello All,
I have recently been introduced to linux security. After going through man pages and some posts, I believe I have configured and setup my audit rules correctly. My need is to monitor and log access to all files in certain directories.
The problem.
Application1 - I log in using my id <user1>. I sudo to <super_user1> and start the application.
The application starts a few daemon process owned by <super_user1>.

User2 - uses the application to access the files (through some script). The script is actually executed by the application's daemon process.

The auid shown in the audit logs is always my id <user1> for all audit events.

So I started capturing the uid from the logs which shows <user2>.

Now user2 is smart, he/she sudo to <super_user2> and then runs the same script to access the files. This time the auid is shown as my user <user1> and the uid, euid is always shown as <super_user2>.

Is there a way I can get the auid of the person who started the script even after he/she sudoes to another user?

Any help/suggestion is much appreciated.

Thanks,
Amit.


Sent with [ProtonMail](https://protonmail.com) Secure Email.

[-- Attachment #1.2: Type: text/html, Size: 1731 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auid of a script started by a daemon process.

[Steve Grubb]

On Monday, February 20, 2017 11:50:31 AM EST Kaptaan wrote:
> Hello All,
> I have recently been introduced to linux security. After going through man
> pages and some posts, I believe I have configured and setup my audit rules
> correctly. My need is to monitor and log access to all files in certain
> directories. The problem.
> Application1 - I log in using my id <user1>. I sudo to <super_user1> and
> start the application. The application starts a few daemon process owned by
> <super_user1>.
> 
> User2 - uses the application to access the files (through some script). The
> script is actually executed by the application's daemon process.
> 
> The auid shown in the audit logs is always my id <user1> for all audit
> events.

Yes. This sounds like a problem. The auid is the mechanism to track who the 
person is no matter who they sudo/su to. The uid is the transient id of the 
user that changes with whatever account they are currently using.

Daemons have an auid of (unsigned int)-1. I think that to fix the issue, you 
need your daemons started by themselves and not from your account. With 
systemd its pretty easy. From a SysVinit based system...its not fixable.

The auid is set on login and is inherited by each process that gets started in 
your session. With systemd, when you start a daemon a message goes across dbus 
and systemd forks and execs the daemon. The auid is -1. On sysVinit systems, 
you run the init script in your session so the daemon picks up your auid.


> So I started capturing the uid from the logs which shows <user2>.
> 
> Now user2 is smart, he/she sudo to <super_user2> and then runs the same
> script to access the files. This time the auid is shown as my user <user1>
> and the uid, euid is always shown as <super_user2>.
> 
> Is there a way I can get the auid of the person who started the script even
> after he/she sudoes to another user?

It is the auid.

-Steve

> Any help/suggestion is much appreciated.
> 
> Thanks,
> Amit.

Re: auid of a script started by a daemon process.

[Kaptaan]

[-- Attachment #1.1: Type: text/plain, Size: 2775 bytes --]

Thanks Steve for the prompt response.

Could you please help me understand how the starting of the application from systemd will solve my problem of capturing the auid of the person who sudoes to another userid and runs the script to access the files.
<user2> sudoes to <super-user2> and runs the script to access the files.

with the application starting as systemd - auid will be -1, uid would still be <super_user2> and <user2> id wont be logged in audit log. Is it not?

Thanks,
Amit.

Sent with [ProtonMail](https://protonmail.com) Secure Email.


-------- Original Message --------
Subject: Re: auid of a script started by a daemon process.
Local Time: February 20, 2017 11:04 AM
UTC Time: February 20, 2017 5:04 PM
From: sgrubb@redhat.com
To: linux-audit@redhat.com, Kaptaan <kaptaan@protonmail.com>

On Monday, February 20, 2017 11:50:31 AM EST Kaptaan wrote:
> Hello All,
> I have recently been introduced to linux security. After going through man
> pages and some posts, I believe I have configured and setup my audit rules
> correctly. My need is to monitor and log access to all files in certain
> directories. The problem.
> Application1 - I log in using my id <user1>. I sudo to <super_user1> and
> start the application. The application starts a few daemon process owned by
> <super_user1>.
>
> User2 - uses the application to access the files (through some script). The
> script is actually executed by the application's daemon process.
>
> The auid shown in the audit logs is always my id <user1> for all audit
> events.

Yes. This sounds like a problem. The auid is the mechanism to track who the
person is no matter who they sudo/su to. The uid is the transient id of the
user that changes with whatever account they are currently using.

Daemons have an auid of (unsigned int)-1. I think that to fix the issue, you
need your daemons started by themselves and not from your account. With
systemd its pretty easy. From a SysVinit based system...its not fixable.

The auid is set on login and is inherited by each process that gets started in
your session. With systemd, when you start a daemon a message goes across dbus
and systemd forks and execs the daemon. The auid is -1. On sysVinit systems,
you run the init script in your session so the daemon picks up your auid.


> So I started capturing the uid from the logs which shows <user2>.
>
> Now user2 is smart, he/she sudo to <super_user2> and then runs the same
> script to access the files. This time the auid is shown as my user <user1>
> and the uid, euid is always shown as <super_user2>.
>
> Is there a way I can get the auid of the person who started the script even
> after he/she sudoes to another user?

It is the auid.

-Steve

> Any help/suggestion is much appreciated.
>
> Thanks,
> Amit.

[-- Attachment #1.2: Type: text/html, Size: 4446 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auid of a script started by a daemon process.

[Steve Grubb]

On Monday, February 20, 2017 1:24:28 PM EST Kaptaan wrote:
> Thanks Steve for the prompt response.
> 
> Could you please help me understand how the starting of the application from
> systemd will solve my problem of capturing the auid of the person who
> sudoes to another userid and runs the script to access the files. <user2>
> sudoes to <super-user2> and runs the script to access the files.

I have some slides here:
http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf

See pages 6 - 11 for a pictoral explanation.

> with the application starting as systemd - auid will be -1,

yes and uid will be root or the daemon's uid.

> uid would still be <super_user2> 

If the daemon is started by systemd, its uid will be root until it changes to 
its final uid. The main thing is that its not part of any user session and its 
auid will always be -1.

> and <user2> id wont be logged in audit log. Is it not?

User 2 should log in as user 2 and its auid will be user 2. If they sudo to 
another acct, auid will still be user 2 and uid will be the new uid. Also, 
there is an untamperable and unique session id that gets associated with a 
login. Its the "ses" field. This is also inherited by any new process in the 
session. This lets you track any action to a specific login.

-Steve

> Thanks,
> Amit.
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
> 
> -------- Original Message --------
> Subject: Re: auid of a script started by a daemon process.
> Local Time: February 20, 2017 11:04 AM
> UTC Time: February 20, 2017 5:04 PM
> From: sgrubb@redhat.com
> To: linux-audit@redhat.com, Kaptaan <kaptaan@protonmail.com>
> 
> On Monday, February 20, 2017 11:50:31 AM EST Kaptaan wrote:
> > Hello All,
> > I have recently been introduced to linux security. After going through man
> > pages and some posts, I believe I have configured and setup my audit rules
> > correctly. My need is to monitor and log access to all files in certain
> > directories. The problem.
> > Application1 - I log in using my id <user1>. I sudo to <super_user1> and
> > start the application. The application starts a few daemon process owned
> > by
> > <super_user1>.
> > 
> > User2 - uses the application to access the files (through some script).
> > The
> > script is actually executed by the application's daemon process.
> > 
> > The auid shown in the audit logs is always my id <user1> for all audit
> > events.
> 
> Yes. This sounds like a problem. The auid is the mechanism to track who the
> person is no matter who they sudo/su to. The uid is the transient id of the
> user that changes with whatever account they are currently using.
> 
> Daemons have an auid of (unsigned int)-1. I think that to fix the issue, you
> need your daemons started by themselves and not from your account. With
> systemd its pretty easy. From a SysVinit based system...its not fixable.
> 
> The auid is set on login and is inherited by each process that gets started
> in your session. With systemd, when you start a daemon a message goes
> across dbus and systemd forks and execs the daemon. The auid is -1. On
> sysVinit systems, you run the init script in your session so the daemon
> picks up your auid.
> > So I started capturing the uid from the logs which shows <user2>.
> > 
> > Now user2 is smart, he/she sudo to <super_user2> and then runs the same
> > script to access the files. This time the auid is shown as my user <user1>
> > and the uid, euid is always shown as <super_user2>.
> > 
> > Is there a way I can get the auid of the person who started the script
> > even
> > after he/she sudoes to another user?
> 
> It is the auid.
> 
> -Steve
> 
> > Any help/suggestion is much appreciated.
> > 
> > Thanks,
> > Amit.