Idea Details

PIM cannot recognize the original account after restarting PIM

Last activity 12-17-2016 10:56 AM
kansi02's profile image
11-28-2016 02:55 AM

Hi product manager,

 

This enhancement request was generated from 00525223 : Cannot recognize original account.

Customer situation:

  1. Customer write a monitoring daemon(program). It is called test_ppid

  2. Internally test_ppid run some commands every 3 minutes that can be executed only by root.

      For instance, mount, umount.

  3. Customer write a rule on PIM that is not allowed to execute above program by a regular user.

      AC> sr file /usr/sbin/umount
      (localhost)
      Data for FILE '/usr/sbin/umount'
      -----------------------------------------------------------
      Defaccess : None
      ACLs :
      Accessor Access
      root (USER ) R, W, X, Cre, Del, Chown, Chmod, Utime, Sec, Rename, Chdir
      Audit mode : Success, Failure
     Owner : nobody (USER )
     Create time : 05-Oct-2016 10:17
     Update time : 05-Oct-2016 11:11
     Updated by : root (USER )

   4. Customer login as a regular user (ex: user01) and switch user to root and run test_ppid daemon with 3 minutes interval. The audit log will be generated with D.

 

     [venus:/home/user01]# whoami
     user01
     [venus:/home/user01]# su -
     root's Password:
     [venus:/hjsong]# id
     uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp),203(idsldap)
    [venus:/hjsong]# sewhoami
    user01
    [venus:/hjsong]# ./test_ppid 3

    05 Oct 2016 15:15:48 D FILE user01 Exec 69 2 /usr/sbin/mount /usr/bin/sh 192.168.2.32 root
    05 Oct 2016 15:15:51 D FILE user01 Exec 69 2 /usr/sbin/mount /usr/bin/sh 192.168.2.32 root

    ==> This is what customer is expecting. It is normal phenomenon.

  5. At this point, Customer will only restart PIM without any chang. Then check the audit log. 

    05 Oct 2016 15:18:12 M SHUTDOWN root 452 seosd
    05 Oct 2016 15:18:12 M SHUTDOWN root 452 KBLAudMgr
    05 Oct 2016 15:18:23 M START seosd
    05 Oct 2016 15:18:24 P FILE root Exec 55 3 /usr/sbin/mount /usr/bin/sh root
    05 Oct 2016 15:18:27 P FILE root Exec 55 3 /usr/sbin/mount /usr/bin/sh root

 

So customer couldn't monitor the system properly. Please follow up this enhancement request (not permitted with D)

 

Reviewed by Timmy (L2) with DE243569