Re: Audit of physical users
On Monday, September 02, 2013 02:49:28 PM Maupertuis Philippe wrote:
I have a requirement to trace the activity of the physical users on
Redhat
5/6 systems. I spent the last week sifting through the archive to find
that the question was asked time and again. The basic rule is easy but the
hitch is when an administrator restarts a service. Unfortunately, it seems
there is no solution until systemd is used to start daemon instead of
service.
Depending on how ambitious you are, you can write a little C program that
opens /proc/self/loginuid and writes -1, then close, and execve the intended
program. You will still have a sessionid that is not -1, but you have a
solution. At the same time, it also means that admins could use the same tool
to bypass audit rules. So, you'd probably want to think about it a bit.
The only useful thing I found was in this old post from 2007
http://www.redhat.com/archives/linux-audit/2007-February/msg00071.html to
reset the auid. I would like to know if it can be used with the current
version of auditd.
Probably, but you don't really need to link against libaudit. If you looked at
the source to audit_setloginuid(), its just open /proc/self/loginuid and
writing to it.
If yes, I will probably give it a try with a fixed
dedicated auid to clearly state that the auid was changed. Do I need to
install something besides audit and audit-libs ?
Is there any special need, for compiling this program ?
I'd simplify.
-Steve