TOMOYO
ForkPeter Moody wrote:
> Actually, does tomoyo already log the uid? The other
> question is would it be possible/easy to extract this information with
> user-land tools?
Yes. The first line of TOMOYO's audit log includes both timestamp and uid.
#2010/12/25 15:47:10# profile=2 mode=permissive granted=no (global-pid=3390) task={ pid=3390 ppid=3386 uid=48 gid=48 euid=48 egid=48 suid=48 sgid=48 fsuid=48 fsgid=48 type!=execute_handler } path1={ uid=0 gid=0 ino=1545499 major=8 minor=1 perm=0755 type=file } path1.parent={ uid=0 gid=0 ino=1540116 perm=0755 } exec={ realpath="/usr/bin/id" argc=1 envc=7 argv[]={ "id" } envp[]={ "TERM=vt100" "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PWD=/usr/share/horde/admin" "LANG=en_US.UTF-8" "SHLVL=3" "LANGUAGE=en_US.UTF-8" "_=/usr/bin/id" } }
<kernel> /usr/sbin/httpd /bin/sh
file execute /usr/bin/id
Also, use of Linux kernel's audit subsystem might be helpful.
http://tomoyo.sourceforge.jp/cgi-bin/lxr/ident?i=audit_log_execve_info