Re: Setting loginuid for a process starting at boot

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Maupertuis Philippe <philippe.maupertuis@worldline.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Setting loginuid for a process starting at boot
Date: Tue, 14 Jan 2014 09:33:48 -0500	[thread overview]
Message-ID: <4604089.FuJBARoamI@x2> (raw)
In-Reply-To: <A35547AE65CDA84F93D4012BDFB5D5553DBFE5BB51@FRVDX100.fr01.awl.atosorigin.net>

On Tuesday, January 14, 2014 02:13:45 PM Maupertuis Philippe wrote:
> Auditctl -e wont probably go unnoticed while an inconspicuous echo probably
> would.

Both are auditable events as required by common criteria. Changes to auditing 
must produce an event as well as the assignment of loginuids. This is 
automatic and not caused by a rule.

> Is there a rule to track this action without overloading the system?

Changes to audit state are auditable events. You can test this yourself with 
auditctl and ausearch.

> Alternatively, is a post mortem analysis viable ?

yes.

> I was thinking of finding process in the audit.log whose loginuid differs
> from parent's loginuid. Is there a way to extract information and reformat
> the result (to keep process pid ppid loginuid for example) ?

You can write a utility using the auparse library to do anything you want it 
to do.

https://fedorahosted.org/audit/browser/trunk/tools/aulastlog/aulastlog.c

The aulastlog program is probably a decent starting point to create something 
like this. Instead of keeping uid, you'd be keeping pids and some attributes 
of them. My guess is that you'll have long running processes that are not in 
the logs and you'll have some unknowns.

-Steve

next prev parent reply	other threads:[~2014-01-14 14:33 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-12 22:00 Setting loginuid for a process starting at boot Maupertuis Philippe
2014-01-13 20:12 ` Eric Paris
2014-01-13 20:16   ` Steve Grubb
2014-01-13 21:17     ` RE : " Maupertuis Philippe
2014-01-13 22:05       ` Steve Grubb
2014-01-14 13:13         ` Maupertuis Philippe
2014-01-14 14:33           ` Steve Grubb [this message]
2014-01-14 15:55             ` Maupertuis Philippe
2014-01-14 16:15               ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4604089.FuJBARoamI@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=philippe.maupertuis@worldline.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).