On Wednesday, April 7, 2021 3:20:22 AM EDT MAUPERTUIS, PHILIPPE wrote: > I understand that daemons started by systemd have a uid -1. > For a specific daemon, I would like to have a different auid to trace what > the daemon is doing. By having a distinct auid it would be monitored > without specific rules. Is that possible ?
While it may be possible, that violates how the audit system was designed to operate. Setting the loginuid also sets the session ID. The utilities look for those events to determine that a login has occurred and then track that. > Otherwise what would be the best way to monitor a specific daemon ? There is auditing by application. -a always,exit -F exe=/usr/sbin/httpd -F arch=b64 -S open,openat, ... -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
