From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maupertuis Philippe Subject: RE: Auditing only when auid and uid differ Date: Thu, 10 Oct 2013 09:25:37 +0200 Message-ID: References: <10553879.3qLvrN5xIr@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx2.redhat.com (ext-mx01.extmail.prod.ext.rdu2.redhat.com [10.11.55.1]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r9A7PtHY025706 for ; Thu, 10 Oct 2013 03:25:58 -0400 Received: from smtp1.mail.atosorigin.com (smtp1.mail.atosorigin.com [160.92.103.80]) by mx2.redhat.com (8.14.4/8.14.4) with ESMTP id r9A7PoRM002861 for ; Thu, 10 Oct 2013 03:25:51 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp1.mail.atosorigin.com (Postfix) with ESMTP id D69E25E00A for ; Thu, 10 Oct 2013 09:25:46 +0200 (CEST) Received: from mail.awl.fr.atosorigin.com (serv-smtp-wse02.fr.atosworldline.com [160.92.103.181]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "mail.awl.fr.atosorigin.com", Issuer "VeriSign Class 3 Secure Server CA - G3" (verified OK)) by smtp1.mail.atosorigin.com (Postfix) with ESMTPS id D19BD5E008 for ; Thu, 10 Oct 2013 09:25:46 +0200 (CEST) Content-Language: fr-FR List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com It does work on Redhat 6, it was my mistake. Philippe -----Message d'origine----- De : Maupertuis Philippe Envoy=E9 : jeudi 10 octobre 2013 09:13 =C0 : linux-audit@redhat.com Objet : RE: Auditing only when auid and uid differ Thanks for the quick reply. Unfortunately, I guess that a newish kernel means newer than those availabl= e on Redhat 5/6. I tried on a 2.6.32-358.18.1 kernel and got "Multiple rule insert/delete op= erations are not allowed" Philippe -----Message d'origine----- De : Steve Grubb [mailto:sgrubb@redhat.com] Envoy=E9 : mercredi 9 octobre 2= 013 18:43 =C0 : linux-audit@redhat.com Cc : Maupertuis Philippe Objet : Re:= Auditing only when auid and uid differ On Wednesday, October 09, 2013 06:28:49 PM Maupertuis Philippe wrote: > I want to track what people are doing when then change their userid. > Basically I would like to write : > -a exit,never -F arch=3Db32 -S all -F auid=3D4294967295 -a exit,never -F > arch=3Db64 -S all -F auid=3D4294967295 -a exit,always -F arch=3Db32 -S a= ll > -F auid>1000 -F uid!=3Dauid -k userchange -a exit,always -F arch=3Db64 -S > all -F auid>1000 -F uid!=3Dauid -k userchange > > However it seems that it's not a valid syntax. > Is there a way to achieve that. Yes there is. It requires a newish kernel and user space. But the rules are= like this: -a always,exit -F arch=3Db32 -S all -F auid!=3D4294967295 -C auid!=3Duid -= a exit,always -F arch=3Db32 -S all -F auid>1000 -F auid!=3D4294967295 -C a= uid!=3Duid -k userchange And the same for b64. -Steve Ce message et les pi=E8ces jointes sont confidentiels et r=E9serv=E9s =E0 l= 'usage exclusif de ses destinataires. Il peut =E9galement =EAtre prot=E9g= =E9 par le secret professionnel. Si vous recevez ce message par erreur, mer= ci d'en avertir imm=E9diatement l'exp=E9diteur et de le d=E9truire. L'int= =E9grit=E9 du message ne pouvant =EAtre assur=E9e sur Internet, la responsa= bilit=E9 de Worldline ne pourra =EAtre recherch=E9e quant au contenu de ce = message. Bien que les meilleurs efforts soient faits pour maintenir cette t= ransmission exempte de tout virus, l'exp=E9diteur ne donne aucune garantie = =E0 cet =E9gard et sa responsabilit=E9 ne saurait =EAtre recherch=E9e pour = tout dommage r=E9sultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely= for the addressee; it may also be privileged. If you receive this e-mail i= n error, please notify the sender immediately and destroy it. As its integr= ity cannot be secured on the Internet, the Worldline liability cannot be tr= iggered for the message content. Although the sender endeavours to maintain= a computer virus-free network, the sender does not warrant that this trans= mission is virus-free and will not be liable for any damages resulting from= any virus transmitted.