Re: Setting loginuid for a process starting at boot
On Tuesday, January 14, 2014 02:13:45 PM Maupertuis Philippe wrote:
Auditctl -e wont probably go unnoticed while an inconspicuous echo
probably
would.
Both are auditable events as required by common criteria. Changes to auditing
must produce an event as well as the assignment of loginuids. This is
automatic and not caused by a rule.
Is there a rule to track this action without overloading the system?
Changes to audit state are auditable events. You can test this yourself with
auditctl and ausearch.
Alternatively, is a post mortem analysis viable ?
yes.
I was thinking of finding process in the audit.log whose loginuid
differs
from parent's loginuid. Is there a way to extract information and reformat
the result (to keep process pid ppid loginuid for example) ?
You can write a utility using the auparse library to do anything you want it
to do.
https://fedorahosted.org/audit/browser/trunk/tools/aulastlog/aulastlog.c
The aulastlog program is probably a decent starting point to create something
like this. Instead of keeping uid, you'd be keeping pids and some attributes
of them. My guess is that you'll have long running processes that are not in
the logs and you'll have some unknowns.
-Steve