Re: systemd daemon and auid
On Wednesday, April 7, 2021 3:20:22 AM EDT MAUPERTUIS, PHILIPPE wrote:
I understand that daemons started by systemd have a uid -1.
For a specific daemon, I would like to have a different auid to trace what
the daemon is doing. By having a distinct auid it would be monitored
without specific rules. Is that possible ?
While it may be possible, that violates how the audit system was designed to
operate. Setting the loginuid also sets the session ID. The utilities look
for those events to determine that a login has occurred and then track that.
Otherwise what would be the best way to monitor a specific daemon ?
There is auditing by application.
-a always,exit -F exe=/usr/sbin/httpd -F arch=b64 -S open,openat, ...
-Steve