RE: EXT :Re: RedHat 6 Testing
The ausearch records root as the UID.
The cat command returns a UID of 1386 which is my ldap account UID.
Is there a way to prevent cron from inheriting my session (perhaps by removing the session
line in /etc/pam.d/crond)?
Kevin
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Friday, March 25, 2011 12:15 PM
To: linux-audit(a)redhat.com
Cc: Boyce, Kevin P (AS)
Subject: EXT :Re: RedHat 6 Testing
On Friday, March 25, 2011 10:55:43 am Boyce, Kevin P (AS) wrote:
I have a script in cron.weekly that has a command being executed
which I am
auditing for execve. That part seems to work fine. However, in the
detailed audit report my user id is associated with the execution. Root
owns the files there and ultimately root is the effective UID in the
record, but why am I associated with the activity at all?
What did pam record for the user_start?
ausearch --start today -x crond -m user_start
This should show which account the script will run under. The cron daemon should set
the loginuid to it. That would cause all actions done by the script to be attributed
to that user.
Also, have you restarted the cron daemon? Maybe in inheritted your account. You can
check by this:
cat /proc/`ps -C crond -o pid= | tr -d ' '`/loginuid
-Steve