Dropping auid for daemons started via sudo

Hello: I'm dealing with a set of machines with unrestricted sudo for admins ("sudo -s"). It's not something I can immediately change (though I'm working toward a more restrictive attitude and policy). I'm trying to at least do some auditing via the following audit rule: -a always,exit -F arch=b32 -S execve -F uid=0 -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F arch=b64 -S execve -F uid=0 -F auid>=500 -F auid!=4294967295 -k privileged It mostly does the right thing, except for cases when an admin logs in and restarts a service. If it's running a privileged process, that process will have an auid of the user that last ran "service foo restart". Is there a way to drop auid for services restarted by individual admins? I'm not sure if run_init does it, but I can't use it anyway because selinux is disabled on those machines. Thanks for any advice. Regards, -- McGill University IT Security Konstantin "Kay" Ryabitsev Montréal, Québec