On Sun, 2007-02-25 at 18:17 -0500, Steve Grubb wrote:
On Tuesday 20 February 2007 16:29:25 Matthew Booth wrote:
> I needed a way to exclude a very large class of audit traffic [1] in
> RHEL 4. It occurred to me that if I could launch a process and give it
> the auid of a dedicated user, I could easily filter it out along with
> all child processes. With this in mind I wrote the attached simple
> wrapper round the audit_setloginuid. It sets its own auid to whatever
> you give it, then execs a command.
In general, I don't like the theory that this operates under. It could be
abused and then the audit trail coerced. Could you not achieve this by making
the apps set gid and filtering on the group?
The utility doesn't create the ability to set an arbitrary auid, it just
uses it. Any user who can use the utility could also execute any other
snippet of code which does the same thing. This is mitigated by the fact
that it generates a login event, which is audited. My goal is not to
create a system which cannot be circumvented, just to make it obvious
that it has been circumvented and by whom.
When it comes to Oracle and WebLogic, you can only work with what you
are given. The customer is already concerned at the Oracle support
response to prepending my utility to the entries in inittab, even though
this is a non-functional change from Oracle's POV. Altering the
operation of Oracle would be completely out of the question.
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490