On 06/09/2014 04:39 AM, Burn Alting wrote: > All, > > I am looking a ways to counter the situation where a user restarts a > service and hence all that service's auditing events are attributed to > the auid of the user who performed the restart. > > That is > > a. User logs into system (and pam sets auid) > b. User su's or sudo's up to a service account (auid still the same). > c. User restarts the service > d. All audit events resulting from the service have the user's auid. > > At present I am looking at solution that front-end's the > RHEL5/RHEL6 /sbin/service command which sets the auid via a > audit_setloginuid() call and then execv's the service script and command > arguments. > > I am interested in any other solutions that people may have implemented > successfully. Especially for the systemd replacement, if it's been done. > > Regards > > Burn > > Like run_init does (in the policy_coreutils rpm)?
LCB -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
