On Monday, June 09, 2014 07:39:26 PM Burn Alting wrote: > I am looking a ways to counter the situation where a user restarts a > service and hence all that service's auditing events are attributed to > the auid of the user who performed the restart. > > That is > > a. User logs into system (and pam sets auid) > b. User su's or sudo's up to a service account (auid still the same). > c. User restarts the service > d. All audit events resulting from the service have the user's auid. > > At present I am looking at solution that front-end's the > RHEL5/RHEL6 /sbin/service command which sets the auid via a > audit_setloginuid() call and then execv's the service script and command > arguments. > > I am interested in any other solutions that people may have implemented > successfully. Especially for the systemd replacement, if it's been done.
On older sysvinit systems, you could also plumb upstart to do service starts via its dbus/socket kind of the same way telinit communicates with it. I think upstream made this work a long time ago. Stopping a service should be left as is. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
