Fwd: Re: Fw: Audit records for start/stop auditd

Hello, This is the discussion about meeting the CAPP requirement to log the real user's ID that initiated a shutdown. The core issue is that shutdown sequence is started by a SIGTERM. I can use sigaction to get some additional information delivered to the signal handler. All you get is pid. It would be racy to trace that back to the caller and see what their loginuid is. Klaus proposed the following patch. Its an OK solution, but I was wanting to see if there are alternatives. The problems I see is that this will always require adding some rules, you will always have to start the audit daemon from the init script to make sure the pid is captured, its racy on termination - it waits a finite amount of time hoping the record makes it to disk, people may accidentally delete the rule not knowing what it does, there's a race getting the pid of the audit daemon - it forks starting up, it slows down performance because it adds a another rule the audit system has to evaluate each time there's a potential audit event, it occupies memory, etc. Some other ideas I've pondered: *adding user information to sigaction signal delivery *having the kernel recognize kill to the audit daemon and auto generate an event before delivering the signal We need some ideas to pick the best way to solve the problem. -Steve ---------- Forwarded Message ---------- Subject: Re: Fw: Audit records for start/stop auditd Date: Thursday 17 March 2005 19:04 From: Klaus Weidner <klaus(a)atsec.com&gt; To: Kris Wilson <krisw(a)us.ibm.com&gt;, Steve Grubb <sgrubb(a)redhat.com&gt; Hello, I've worked around the problem in the following way - it's a bit of a hack but I think easier than completely restructuring the code: - dynamically add an audit rule from /etc/init.d/audit to monitor signals sent to the auditd pid - change auditd to keep processing kernel messages for two seconds after getting the shutdown signal so that it has a chance to save the "signal" event record. This is what it looks like (i386, syscall 37 is "kill"): type=KERNEL msg=audit(1111114589.580:4100282): syscall=37 exit=0 a0=469d a1=f a2=469d a3=469d items=0 pid=18094 loginuid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 type=DAEMON msg=auditd(1111114591) auditd normal halt, pid=18077, uid=0 I think this way the CAPP requirement is covered, even though it's not pretty. The patch contains one separate change - /etc/init.d/audit did not actually reload the audit rules when run with the "reload" argument, this caused me some head scratching while testing. The change adds the reload. -Klaus On Thu, Mar 17, 2005 at 01:16:49PM -0600, Kris Wilson wrote: -------------------------------------------------------