On Thu, Jan 26, 2012 at 1:53 PM, Tetsuo Handa <[email protected]> wrote: > Peter Moody wrote: >> Actually, does tomoyo already log the uid? The other >> question is would it be possible/easy to extract this information with >> user-land tools? > > Yes. The first line of TOMOYO's audit log includes both timestamp and uid. > > #2010/12/25 15:47:10# profile=2 mode=permissive granted=no (global-pid=3390) > task={ pid=3390 ppid=3386 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 > fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=1545499 > major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=1540116 > perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } > envp[]={ "TERM=vt100" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" > "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" > "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } } > <kernel> /usr/sbin/httpd /bin/sh > file execute /usr/bin/id
It generates this for everything executed (I think I mean for every domain transition in tomoyo parlance). > Also, use of Linux kernel's audit subsystem might be helpful. > http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=audit_log_execve_info I'm familiar with auditd, I'm trying to find a lighter-weight version of the equivalent of auditctl -a exit,always -S execve -F success=1 _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
