Re: Auditing only when auid and uid differ
On Wednesday, October 09, 2013 06:28:49 PM Maupertuis Philippe wrote:
I want to track what people are doing when then change their
userid.
Basically I would like to write :
-a exit,never -F arch=b32 -S all -F auid=4294967295
-a exit,never -F arch=b64 -S all -F auid=4294967295
-a exit,always -F arch=b32 -S all -F auid>1000 -F uid!=auid -k userchange
-a exit,always -F arch=b64 -S all -F auid>1000 -F uid!=auid -k userchange
However it seems that it's not a valid syntax.
Is there a way to achieve that.
Yes there is. It requires a newish kernel and user space. But the rules are like this:
-a always,exit -F arch=b32 -S all -F auid!=4294967295 -C auid!=uid
-a exit,always -F arch=b32 -S all -F auid>1000 -F auid!=4294967295 -C auid!=uid -k
userchange
And the same for b64.
-Steve