On Thu, Jan 26, 2012 at 2:01 PM, Peter Moody <[email protected]> wrote: > On Thu, Jan 26, 2012 at 1:53 PM, Tetsuo Handa > <[email protected]> wrote: >> Peter Moody wrote: >>> Actually, does tomoyo already log the uid? The other >>> question is would it be possible/easy to extract this information with >>> user-land tools? >> >> Yes. The first line of TOMOYO's audit log includes both timestamp and uid. >> >> #2010/12/25 15:47:10# profile=2 mode=permissive granted=no (global-pid=3390) >> task={ pid=3390 ppid=3386 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 >> fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=1545499 >> major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=1540116 >> perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } >> envp[]={ "TERM=vt100" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" >> "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" >> "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } } >> <kernel> /usr/sbin/httpd /bin/sh >> file execute /usr/bin/id
Whoops, this was meant to be a question. It generates this for everything executed (I think I mean for every domain transition in tomoyo parlance)? >> Also, use of Linux kernel's audit subsystem might be helpful. >> http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=audit_log_execve_info > > I'm familiar with auditd, I'm trying to find a lighter-weight version > of the equivalent of auditctl -a exit,always -S execve -F success=1 _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
