From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=rZAh=JE=redhat.com=linux-audit-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 46542C43460
	for <linux-audit@archiver.kernel.org>; Wed,  7 Apr 2021 07:24:40 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 2055961177
	for <linux-audit@archiver.kernel.org>; Wed,  7 Apr 2021 07:24:38 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2055961177
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=equensworldline.com
Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-436-pEyOTo0PMp6vxasZklHJHg-1; Wed, 07 Apr 2021 03:24:36 -0400
X-MC-Unique: pEyOTo0PMp6vxasZklHJHg-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DA9CF18B9ECB;
	Wed,  7 Apr 2021 07:24:32 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 5C7847092D;
	Wed,  7 Apr 2021 07:24:32 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 002CA1857D6B;
	Wed,  7 Apr 2021 07:24:29 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
	[10.11.54.6])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 1377MHBm013248 for <linux-audit@listman.util.phx.redhat.com>;
	Wed, 7 Apr 2021 03:22:18 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id C5BAA2166B2D; Wed,  7 Apr 2021 07:22:17 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id BD84C2166BB1
	for <linux-audit@redhat.com>; Wed,  7 Apr 2021 07:22:10 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[207.211.31.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 63522104D9A1
	for <linux-audit@redhat.com>; Wed,  7 Apr 2021 07:22:10 +0000 (UTC)
Received: from smarthost4.atos.net (smtppost.atos.net [193.56.114.177])
	(Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-421-LC6xFZ6hMMKGfm4j9bPcwg-1; Wed, 07 Apr 2021 03:21:57 -0400
X-MC-Unique: LC6xFZ6hMMKGfm4j9bPcwg-1
X-IronPort-AV: E=Sophos;i="5.82,201,1613430000"; 
	d="scan'208,217";a="192280740"
X-MGA-submission: =?us-ascii?q?MDGwvrItXLhc0KFZc2PANv2NUcO7mwlGX9kZqm?=
	=?us-ascii?q?1MCccqmUiv5hDoiH6zw4qkyfV4Wmw8vjjmy1888H1KiVSOUleuH1EJxT?=
	=?us-ascii?q?Vpih8diCT8QIGoV7PmCHN3H51aOcmbhVAroLzwMJWEx6+yX7X7leobw6?=
	=?us-ascii?q?1T?=
Received: from unknown (HELO DEFTHW99ETVMSX.ww931.my-it-solutions.net)
	([10.86.142.50])
	by smarthost4.atos.net with ESMTP/TLS/ECDHE-RSA-AES256-SHA384;
	07 Apr 2021 09:20:23 +0200
Received: from DEERLM99EX7MSX.ww931.my-it-solutions.net
	([fe80::2535:cfdc:c652:20d6]) by
	DEFTHW99ETVMSX.ww931.my-it-solutions.net
	([::1]) with mapi id 14.03.0513.000; Wed, 7 Apr 2021 09:20:23 +0200
From: "MAUPERTUIS, PHILIPPE" <philippe.maupertuis@equensworldline.com>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: systemd daemon and auid
Thread-Topic: systemd daemon and auid
Thread-Index: AdcrfdwfyvWIHu0MT9CKmY2P/KgkZg==
Date: Wed, 7 Apr 2021 07:20:22 +0000
Message-ID: <5F4EE10832231F4F921A255C1D9542981572221E@DEERLM99EX7MSX.ww931.my-it-solutions.net>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.86.142.13]
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-loop: linux-audit@redhat.com
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: fr-FR
Content-Type: multipart/mixed; boundary="===============0625917807342172932=="

--===============0625917807342172932==
Content-Language: fr-FR
Content-Type: multipart/alternative;
	boundary="_000_5F4EE10832231F4F921A255C1D9542981572221EDEERLM99EX7MSXw_"

--_000_5F4EE10832231F4F921A255C1D9542981572221EDEERLM99EX7MSXw_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello,
I understand that daemons started by systemd have a uid -1.
For a specific daemon, I would like to have a different auid to trace what =
the daemon is doing.
By having a distinct auid it would be monitored without specific rules.
Is that possible ?
Otherwise what would be the best way to monitor a specific daemon ?
Regards
Philippe
Worldline, equensWorldline and Ingenico are registered trademarks and trade=
 names owned by the Worldline Group. This e-mail and any documents attached=
 are confidential and intended solely for the addressee. If you are not the=
 intended recipient of this e-mail, you are not authorized to copy, disclos=
e, use or retain it. Please notify the sender immediately and delete this e=
-mail (including any attachments) from your systems. As e-mails may be inte=
rcepted, amended or lost, they are not secure. Worldline and its subsidiari=
es therefore cannot accept liability for any errors in their content. Altho=
ugh the Worldline Group endeavours to maintain a virus-free network, we do =
not warrant that this e-mail is virus-free and do not accept liability for =
any damages or losses resulting from any transmitted virus if any. The risk=
s are deemed to be accepted by anyone who communicates with Worldline or it=
s subsidiaries by e-mail.

--_000_5F4EE10832231F4F921A255C1D9542981572221EDEERLM99EX7MSXw_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns=
:odc=3D"urn:schemas-microsoft-com:office:odc" xmlns:oa=3D"urn:schemas-micro=
soft-com:office:activation" xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc=3D"http://m=
icrosoft.com/officenet/conferencing" xmlns:D=3D"DAV:" xmlns:Repl=3D"http://=
schemas.microsoft.com/repl/" xmlns:mt=3D"http://schemas.microsoft.com/share=
point/soap/meetings/" xmlns:x2=3D"http://schemas.microsoft.com/office/excel=
/2003/xml" xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" xmlns:ois=
=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir=3D"http://=
schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds=3D"http://www.w3=
.org/2000/09/xmldsig#" xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint=
/dsp" xmlns:udc=3D"http://schemas.microsoft.com/data/udc" xmlns:xsd=3D"http=
://www.w3.org/2001/XMLSchema" xmlns:sub=3D"http://schemas.microsoft.com/sha=
repoint/soap/2002/1/alerts/" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"=
 xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" xmlns:sps=3D"http://=
schemas.microsoft.com/sharepoint/soap/" xmlns:xsi=3D"http://www.w3.org/2001=
/XMLSchema-instance" xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/so=
ap" xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udc=
p2p=3D"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf=3D"http:/=
/schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss=3D"http://sche=
mas.microsoft.com/office/2006/digsig-setup" xmlns:dssi=3D"http://schemas.mi=
crosoft.com/office/2006/digsig" xmlns:mdssi=3D"http://schemas.openxmlformat=
s.org/package/2006/digital-signature" xmlns:mver=3D"http://schemas.openxmlf=
ormats.org/markup-compatibility/2006" xmlns:m=3D"http://schemas.microsoft.c=
om/office/2004/12/omml" xmlns:mrels=3D"http://schemas.openxmlformats.org/pa=
ckage/2006/relationships" xmlns:spwp=3D"http://microsoft.com/sharepoint/web=
partpages" xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/20=
06/types" xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/200=
6/messages" xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/Sli=
deLibrary/" xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortal=
Server/PublishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" xmlns:=
tax=3D"http://schemas.microsoft.com/sharepoint/taxonomy/soap/" xmlns:tns=3D=
"http://schemas.microsoft.com/sharepoint/soap/recordsrepository/" xmlns:sps=
up=3D"http://microsoft.com/webservices/SharePointPortalServer/UserProfileSe=
rvice" xmlns:mml=3D"http://www.w3.org/1998/Math/MathML" xmlns:st=3D"&#1;" x=
mlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
=09{font-family:Calibri;
=09panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
=09{margin:0cm;
=09margin-bottom:.0001pt;
=09font-size:11.0pt;
=09font-family:"Calibri","sans-serif";
=09mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
=09{mso-style-priority:99;
=09color:blue;
=09text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
=09{mso-style-priority:99;
=09color:purple;
=09text-decoration:underline;}
span.EmailStyle17
=09{mso-style-type:personal-compose;
=09font-family:"Calibri","sans-serif";
=09color:windowtext;}
.MsoChpDefault
=09{mso-style-type:export-only;
=09font-family:"Calibri","sans-serif";
=09mso-fareast-language:EN-US;}
@page WordSection1
=09{size:612.0pt 792.0pt;
=09margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
=09{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"FR" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span lang=3D"EN-US">Hello,<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">I understand that daemons start=
ed by systemd have a uid -1.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">For a specific daemon, I would =
like to have a different auid to trace what the daemon is doing.<o:p></o:p>=
</span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">By having a distinct auid it wo=
uld be monitored without specific rules.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">Is that possible ?<o:p></o:p></=
span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">Otherwise what would be the bes=
t way to monitor a specific daemon ?<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">Regards<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span lang=3D"EN-US">Philippe<o:p></o:p></span></p>
</div>
Worldline, equensWorldline and Ingenico are registered trademarks and trade=
 names owned by the Worldline Group. This e-mail and any documents attached=
 are confidential and intended solely for the addressee. If you are not the=
 intended recipient of this e-mail,
 you are not authorized to copy, disclose, use or retain it. Please notify =
the sender immediately and delete this e-mail (including any attachments) f=
rom your systems. As e-mails may be intercepted, amended or lost, they are =
not secure. Worldline and its subsidiaries
 therefore cannot accept liability for any errors in their content. Althoug=
h the Worldline Group endeavours to maintain a virus-free network, we do no=
t warrant that this e-mail is virus-free and do not accept liability for an=
y damages or losses resulting from
 any transmitted virus if any. The risks are deemed to be accepted by anyon=
e who communicates with Worldline or its subsidiaries by e-mail.
</body>
</html>

--_000_5F4EE10832231F4F921A255C1D9542981572221EDEERLM99EX7MSXw_--

--===============0625917807342172932==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
--===============0625917807342172932==--