Aha - I see that there is an audit event for the auid change. Thats good
enough for me - thanks
I still have a couple of questions
A) sometimes as root I echo to /proc/self/loginuid and it is ignored. Why?
There is no error message
B) always if I echo to /proc... as non root it is ignored (as it
(Ignore my comment about /dev/audit - I wasn't thinking, yes I call
audit_open)
Thanks
In fact I was wrong. In both cases the listener loop is in a secondary
thread (gotta read my own code more closely). The differntiator is where the
audit_open is called relative to the other threads.
So a bit m
On Friday 20 April 2007 18:13:17 paul moore wrote:
> My understanding is that the auid/loginid process property is to allow the
> audit system to *really* know who did things In particular it seems to be
> for tracking who did things when they run su or sudo
Yep.
> But it seems to be trivial to s
On Friday 20 April 2007 18:35:34 paul moore wrote:
> I have an test app that quite happily does an audit_set_pid and then sits
> there reading /dev/audit.
There isn't a /dev/audit in linux.org kernels.
> It works fine if its in the lead thread. But when I run the same code in my
> real app it run
Sorry
Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4
gcc 3.4.5 (redhat's)
-Original Message-
From: Paul Moore [mailto:[EMAIL PROTECTED]
Sent: Friday, April 20, 2007 3:45 PM
To: paul moore
Cc: linux-audit@redhat.com
Subject: Re: listening to /dev/audit in a pthread program
My understanding is that the auid/loginid process property is to allow the
audit system to *really* know who did things In particular it seems to be
for tracking who did things when they run su or sudo
But it seems to be trivial to spoof it
login as: paul
[EMAIL PROTECTED]'s password:
Last login
On Friday, April 20 2007 6:35:34 pm paul moore wrote:
> I have an test app that quite happily does an audit_set_pid and then sits
> there reading /dev/audit.
>
> It works fine if its in the lead thread. But when I run the same code in my
> real app it runs in a different thread. No matter what PID
I have an test app that quite happily does an audit_set_pid and then sits
there reading /dev/audit.
It works fine if its in the lead thread. But when I run the same code in my
real app it runs in a different thread. No matter what PID I pass to the
audit subsystem it complains that nobody is list
Hi,
I've just started using auditing utilities to monitor filesystem events. I'm
using audit-1.5.2
version. The problem is as follows:
If I do "auditctl -a entry,always -w /etc/passwd", then "grep man /etc/passwd",
then "ausearch -f
passwd", the "grep" command is logged in the log file.
Howev