From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C383C433B4 for ; Wed, 7 Apr 2021 13:24:41 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 87A1F610F9 for ; Wed, 7 Apr 2021 13:24:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 87A1F610F9 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617801879; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=2KVE57A3VLRtf2FjcW/MYT2T/+XS0wGMiIpDDU07bn4=; b=i1SjJ5gdJW8EbWq81Sz1IT4iWz9LBvcptNlqAG7rjyq2nCKqav2jO5/Sx225ZG9+zD2EF9 +4zpccdOtCwwV/Cx5TJtgoOz/scdPLegOM0nir9CyKUi9vnxLlz5wd8sgGweT/xov5L/Px pha0cdTb1xrDA7YEfJeeINJIBeXZ4DI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-59-PUFOz6V2MTy7Ut_01w3SrA-1; Wed, 07 Apr 2021 09:24:37 -0400 X-MC-Unique: PUFOz6V2MTy7Ut_01w3SrA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1B56B107ACE3; Wed, 7 Apr 2021 13:24:33 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B595B10013D7; Wed, 7 Apr 2021 13:24:31 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id EC29C1806D11; Wed, 7 Apr 2021 13:24:29 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 137DN9tJ021169 for ; Wed, 7 Apr 2021 09:23:09 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4D2D85D9E3; Wed, 7 Apr 2021 13:23:09 +0000 (UTC) Received: from x2.localnet (ovpn-118-161.rdu2.redhat.com [10.10.118.161]) by smtp.corp.redhat.com (Postfix) with ESMTP id CCD7E5D9CA; Wed, 7 Apr 2021 13:23:05 +0000 (UTC) From: Steve Grubb To: "linux-audit@redhat.com" Subject: Re: systemd daemon and auid Date: Wed, 07 Apr 2021 09:23:01 -0400 Message-ID: <5450942.DvuYhMxLoT@x2> Organization: Red Hat In-Reply-To: <5F4EE10832231F4F921A255C1D9542981572221E@DEERLM99EX7MSX.ww931.my-it-solutions.net> References: <5F4EE10832231F4F921A255C1D9542981572221E@DEERLM99EX7MSX.ww931.my-it-solutions.net> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: linux-audit@redhat.com Cc: "MAUPERTUIS, PHILIPPE" X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Wednesday, April 7, 2021 3:20:22 AM EDT MAUPERTUIS, PHILIPPE wrote: > I understand that daemons started by systemd have a uid -1. > For a specific daemon, I would like to have a different auid to trace what > the daemon is doing. By having a distinct auid it would be monitored > without specific rules. Is that possible ? While it may be possible, that violates how the audit system was designed to operate. Setting the loginuid also sets the session ID. The utilities look for those events to determine that a login has occurred and then track that. > Otherwise what would be the best way to monitor a specific daemon ? There is auditing by application. -a always,exit -F exe=/usr/sbin/httpd -F arch=b64 -S open,openat, ... -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit