Hello All,
I have recently been introduced to linux security. After going through man
pages and some posts, I believe I have configured and setup my audit rules
correctly. My need is to monitor and log access to all files in certain
directories.
The problem.
Application1 - I log in using my id <user1>. I sudo to <super_user1> and start
the application.
The application starts a few daemon process owned by <super_user1>.
User2 - uses the application to access the files (through some script). The
script is actually executed by the application's daemon process.
The auid shown in the audit logs is always my id <user1> for all audit events.
So I started capturing the uid from the logs which shows <user2>.
Now user2 is smart, he/she sudo to <super_user2> and then runs the same script
to access the files. This time the auid is shown as my user <user1> and the
uid, euid is always shown as <super_user2>.
Is there a way I can get the auid of the person who started the script even
after he/she sudoes to another user?
Any help/suggestion is much appreciated.
Thanks,
Amit.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
