On Friday, April 20 2007 6:35:34 pm paul moore wrote:
I have an test app that quite happily does an audit_set_pid and then sits
there reading /dev/audit.
It works fine if its in the lead thread. But when I run the same code in my
real app it runs in a different thread. No matter what PID I
My understanding is that the auid/loginid process property is to allow the
audit system to *really* know who did things In particular it seems to be
for tracking who did things when they run su or sudo
But it seems to be trivial to spoof it
login as: paul
[EMAIL PROTECTED]'s password:
Last
Sorry
Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4
gcc 3.4.5 (redhat's)
-Original Message-
From: Paul Moore [mailto:[EMAIL PROTECTED]
Sent: Friday, April 20, 2007 3:45 PM
To: paul moore
Cc: linux-audit@redhat.com
Subject: Re: listening to /dev/audit in a pthread
On Friday 20 April 2007 18:13:17 paul moore wrote:
My understanding is that the auid/loginid process property is to allow the
audit system to *really* know who did things In particular it seems to be
for tracking who did things when they run su or sudo
Yep.
But it seems to be trivial to
Aha - I see that there is an audit event for the auid change. Thats good
enough for me - thanks
I still have a couple of questions
A) sometimes as root I echo to /proc/self/loginuid and it is ignored. Why?
There is no error message
B) always if I echo to /proc... as non root it is ignored (as it