On Monday, February 20, 2017 11:50:31 AM EST Kaptaan wrote: > Hello All, > I have recently been introduced to linux security. After going through man > pages and some posts, I believe I have configured and setup my audit rules > correctly. My need is to monitor and log access to all files in certain > directories. The problem. > Application1 - I log in using my id <user1>. I sudo to <super_user1> and > start the application. The application starts a few daemon process owned by > <super_user1>. > > User2 - uses the application to access the files (through some script). The > script is actually executed by the application's daemon process. > > The auid shown in the audit logs is always my id <user1> for all audit > events.
Yes. This sounds like a problem. The auid is the mechanism to track who the person is no matter who they sudo/su to. The uid is the transient id of the user that changes with whatever account they are currently using. Daemons have an auid of (unsigned int)-1. I think that to fix the issue, you need your daemons started by themselves and not from your account. With systemd its pretty easy. From a SysVinit based system...its not fixable. The auid is set on login and is inherited by each process that gets started in your session. With systemd, when you start a daemon a message goes across dbus and systemd forks and execs the daemon. The auid is -1. On sysVinit systems, you run the init script in your session so the daemon picks up your auid. > So I started capturing the uid from the logs which shows <user2>. > > Now user2 is smart, he/she sudo to <super_user2> and then runs the same > script to access the files. This time the auid is shown as my user <user1> > and the uid, euid is always shown as <super_user2>. > > Is there a way I can get the auid of the person who started the script even > after he/she sudoes to another user? It is the auid. -Steve > Any help/suggestion is much appreciated. > > Thanks, > Amit. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit