From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Setting loginuid for a process starting at boot Date: Tue, 14 Jan 2014 09:33:48 -0500 Message-ID: <4604089.FuJBARoamI@x2> References: <2073409.YWMcLiFAGF@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Maupertuis Philippe Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Tuesday, January 14, 2014 02:13:45 PM Maupertuis Philippe wrote: > Auditctl -e wont probably go unnoticed while an inconspicuous echo probably > would. Both are auditable events as required by common criteria. Changes to auditing must produce an event as well as the assignment of loginuids. This is automatic and not caused by a rule. > Is there a rule to track this action without overloading the system? Changes to audit state are auditable events. You can test this yourself with auditctl and ausearch. > Alternatively, is a post mortem analysis viable ? yes. > I was thinking of finding process in the audit.log whose loginuid differs > from parent's loginuid. Is there a way to extract information and reformat > the result (to keep process pid ppid loginuid for example) ? You can write a utility using the auparse library to do anything you want it to do. https://fedorahosted.org/audit/browser/trunk/tools/aulastlog/aulastlog.c The aulastlog program is probably a decent starting point to create something like this. Instead of keeping uid, you'd be keeping pids and some attributes of them. My guess is that you'll have long running processes that are not in the logs and you'll have some unknowns. -Steve