[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Dropping auid for daemons started via sudo



Hello:

I'm dealing with a set of machines with unrestricted sudo for admins
("sudo -s"). It's not something I can immediately change (though I'm
working toward a more restrictive attitude and policy). I'm trying to
at least do some auditing via the following audit rule:

-a always,exit -F arch=b32 -S execve -F uid=0 -F auid>=500 -F
auid!=4294967295 -k privileged
-a always,exit -F arch=b64 -S execve -F uid=0 -F auid>=500 -F
auid!=4294967295 -k privileged

It mostly does the right thing, except for cases when an admin logs in
and restarts a service. If it's running a privileged process, that
process will have an auid of the user that last ran "service foo
restart".

Is there a way to drop auid for services restarted by individual
admins? I'm not sure if run_init does it, but I can't use it anyway
because selinux is disabled on those machines.

Thanks for any advice.

Regards,
-- 
McGill University IT Security
Konstantin "Kay" Ryabitsev
Montréal, Québec


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]