PIM cannot recognize the original account after restarting PIM

Idea created by kansi02 Employee on Nov 28, 2016
    New
    Score14

    Hi product manager,

     

    This enhancement request was generated from 00525223 : Cannot recognize original account.

    Customer situation:

      1. Customer write a monitoring daemon(program). It is called test_ppid

      2. Internally test_ppid run some commands every 3 minutes that can be executed only by root.

          For instance, mount, umount.

      3. Customer write a rule on PIM that is not allowed to execute above program by a regular user.

          AC> sr file /usr/sbin/umount
          (localhost)
          Data for FILE '/usr/sbin/umount'
          -----------------------------------------------------------
          Defaccess : None
          ACLs :
          Accessor Access
          root (USER ) R, W, X, Cre, Del, Chown, Chmod, Utime, Sec, Rename, Chdir
          Audit mode : Success, Failure
         Owner : nobody (USER )
         Create time : 05-Oct-2016 10:17
         Update time : 05-Oct-2016 11:11
         Updated by : root (USER )

       4. Customer login as a regular user (ex: user01) and switch user to root and run test_ppid daemon with 3 minutes interval. The audit log will be generated with D.

     

         [venus:/home/user01]# whoami
         user01
         [venus:/home/user01]# su -
         root's Password:
         [venus:/hjsong]# id
         uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp),203(idsldap)
        [venus:/hjsong]# sewhoami
        user01
        [venus:/hjsong]# ./test_ppid 3

        05 Oct 2016 15:15:48 D FILE user01 Exec 69 2 /usr/sbin/mount /usr/bin/sh 192.168.2.32 root
        05 Oct 2016 15:15:51 D FILE user01 Exec 69 2 /usr/sbin/mount /usr/bin/sh 192.168.2.32 root

        ==> This is what customer is expecting. It is normal phenomenon.

      5. At this point, Customer will only restart PIM without any chang. Then check the audit log. 

        05 Oct 2016 15:18:12 M SHUTDOWN root 452 seosd
        05 Oct 2016 15:18:12 M SHUTDOWN root 452 KBLAudMgr
        05 Oct 2016 15:18:23 M START seosd
        05 Oct 2016 15:18:24 P FILE root Exec 55 3 /usr/sbin/mount /usr/bin/sh root
        05 Oct 2016 15:18:27 P FILE root Exec 55 3 /usr/sbin/mount /usr/bin/sh root

     

    So customer couldn't monitor the system properly. Please follow up this enhancement request (not permitted with D)

     

    Reviewed by Timmy (L2) with DE243569