From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: One challenge for audit - seeking ideas Date: Mon, 09 Jun 2014 16:17:50 -0400 Message-ID: <9108984.DhY7uApaoG@x2> References: <1402306766.6186.52.camel@swtf.swtf.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1402306766.6186.52.camel@swtf.swtf.dyndns.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com, burn@swtf.dyndns.org List-Id: linux-audit@redhat.com On Monday, June 09, 2014 07:39:26 PM Burn Alting wrote: > I am looking a ways to counter the situation where a user restarts a > service and hence all that service's auditing events are attributed to > the auid of the user who performed the restart. > > That is > > a. User logs into system (and pam sets auid) > b. User su's or sudo's up to a service account (auid still the same). > c. User restarts the service > d. All audit events resulting from the service have the user's auid. > > At present I am looking at solution that front-end's the > RHEL5/RHEL6 /sbin/service command which sets the auid via a > audit_setloginuid() call and then execv's the service script and command > arguments. > > I am interested in any other solutions that people may have implemented > successfully. Especially for the systemd replacement, if it's been done. On older sysvinit systems, you could also plumb upstart to do service starts via its dbus/socket kind of the same way telinit communicates with it. I think upstream made this work a long time ago. Stopping a service should be left as is. -Steve