From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: Re: One challenge for audit - seeking ideas
Date: Mon, 09 Jun 2014 10:53:45 -0500
Message-ID: <5395D889.9050301@magitekltd.com>
References: <1402306766.6186.52.camel@swtf.swtf.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s59Frl5Z008552
	for <linux-audit@redhat.com>; Mon, 9 Jun 2014 11:53:47 -0400
Received: from mail-oa0-f48.google.com (mail-oa0-f48.google.com
	[209.85.219.48])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s59FrkVD025029
	for <linux-audit@redhat.com>; Mon, 9 Jun 2014 11:53:46 -0400
Received: by mail-oa0-f48.google.com with SMTP id g18so6022284oah.7
	for <linux-audit@redhat.com>; Mon, 09 Jun 2014 08:53:45 -0700 (PDT)
Received: from [192.168.31.11] (65-36-126-38.dyn.grandenetworks.net.
	[65.36.126.38])
	by mx.google.com with ESMTPSA id z8sm69466497oey.5.2014.06.09.08.53.44
	for <linux-audit@redhat.com>
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Mon, 09 Jun 2014 08:53:45 -0700 (PDT)
In-Reply-To: <1402306766.6186.52.camel@swtf.swtf.dyndns.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 06/09/2014 04:39 AM, Burn Alting wrote:
> All,
>
> I am looking a ways to counter the situation where a user restarts a
> service and hence all that service's auditing events are attributed to
> the auid of the user who performed the restart.
>
> That is
>
> a. User logs into system (and pam sets auid)
> b. User su's or sudo's up to a service account (auid still the same).
> c. User restarts the service
> d. All audit events resulting from the service have the user's auid.
>
> At present I am looking at solution that front-end's the
> RHEL5/RHEL6 /sbin/service command which sets the auid via a
> audit_setloginuid() call and then execv's the service script and command
> arguments.
>
> I am interested in any other solutions that people may have implemented
> successfully. Especially for the systemd replacement, if it's been done.
>
> Regards
>
> Burn
>
>
Like run_init does (in the policy_coreutils rpm)?

LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com