How does one audit when the user performs an action that normally requires elevated privileges?
Right now I'm allowing my users to shutdown/reboot systems, using the Gnome menu item(s) and/or power button on the login screen. I would like to audit this specific event but I don't know how to do it. Just auditing the execution of /sbin/shutdown doesn't give me sufficient information in order to determine that the reboot was a result of a user clicking the gnome GUI item. I don't even see a message that indicates the uid of the user in connection with the shutdown event. Here's an excerpt of the audit.log for when a normal user performs a reboot: 37 type=SYSCALL msg=audit(1446729410.820:6348): arch=c000003e syscall=59 success=yes exit=0 a0=7e2700 a1=7e0bf0 a2=7e0780 a3=7f fce02dad00 items=2 ppid=8633 pid=8634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses =4294967295 comm="shutdown" exe="/sbin/shutdown" subj=system_u:system_r:shutdown_t:s0-s0:c0.c1023 key="power" 38 type=EXECVE msg=audit(1446729410.820:6348): argc=3 a0="/sbin/shutdown" a1="-r" a2="now" 39 type=CWD msg=audit(1446729410.820:6348): cwd="/" 40 type=PATH msg=audit(1446729410.820:6348): item=0 name="/sbin/shutdown" inode=501 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=0 0:00 obj=system_u:object_r:shutdown_exec_t:s0 nametype=NORMAL 41 type=PATH msg=audit(1446729410.820:6348): item=1 name=(null) inode=1649 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj= system_u:object_r:ld_so_t:s0 nametype=NORMAL 42 type=SYSCALL msg=audit(1446729410.861:6349): arch=c000003e syscall=2 success=yes exit=5 a0=7fc8c1147db3 a1=80002 a2=7fc8c114 7db3 a3=fffffffffffffdcf items=1 ppid=8633 pid=8634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="shutdown" exe="/sbin/shutdown" subj=system_u:system_r:shutdown_t:s0-s0:c0.c1023 key="session " 43 type=CWD msg=audit(1446729410.861:6349): cwd="/" 44 type=PATH msg=audit(1446729410.861:6349): item=0 name="/var/run/utmp" inode=262150 dev=fd:03 mode=0100664 ouid=0 ogid=22 rde v=00:00 obj=system_u:object_r:initrc_var_run_t:s0 nametype=NORMAL Unless I'm missing it, I don't see anything that indicates the action originated from a gnome GUI item. I think this falls under AC-6. Below is a link to my current audit.rules (based on an older security baseline, not the current scap-security-guide) http://pastebin.com/KvxNNBjZ -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Robert Jacobson [email protected] Lead System Admin Solar Dynamics Observatory (SDO) Bldg 14, E222 (301) 286-1591 -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
