9:39 a.m.
Bonjour,
I'm trying to use auditd to log all actions made by the users on the
system. This part works fine.
The documentation mention the "auid" field to identify the user from the
first connection "even" when the user's identity changes (like with a su):
auid=500
The auid field records the Audit user ID, that is the loginuid. This ID is
assigned to a user upon login and is inherited by every process even when
the user's identity changes (for example, by switching user accounts with
the su - john command).
But this is not working. If I log with the user "test" (uid 1000) when I
switch to the user root, the value of auid is 0 (the uid of root).
Did I missing something ?
Thank you in advance.
Regards,
--
Guillaume
9:56 a.m.
Hello,
On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
I'm trying to use auditd to log all actions made by the users on
the
system. This part works fine.
The documentation mention the "auid" field to identify the user from the
first connection "even" when the user's identity changes (like with a su):
Correct.
auid=500
The auid field records the Audit user ID, that is the loginuid. This ID is
assigned to a user upon login and is inherited by every process even when
the user's identity changes (for example, by switching user accounts with
the su - john command).
But this is not working. If I log with the user "test" (uid 1000) when I
switch to the user root, the value of auid is 0 (the uid of root).
How did you switch the user? I would like to try recreating the issue. It may
be that the underlying implementation actually does log you out. You'd have to
look for one of:
AUDIT_USER_LOGOUT - User has logged out
AUDIT_USER_END - User session end
AUDIT_CRED_DISP - User credential disposed
-Steve
5:13 p.m.
On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote:
Hello,
On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> I'm trying to use auditd to log all actions made by the users on the
> system. This part works fine.
>
> The documentation mention the "auid" field to identify the user from the
> first connection "even" when the user's identity changes (like with a
su):
Correct.
> auid=500
> The auid field records the Audit user ID, that is the loginuid. This ID is
> assigned to a user upon login and is inherited by every process even when
> the user's identity changes (for example, by switching user accounts with
> the su - john command).
>
> But this is not working. If I log with the user "test" (uid 1000) when I
> switch to the user root, the value of auid is 0 (the uid of root).
How did you switch the user? I would like to try recreating the issue. It may
be that the underlying implementation actually does log you out. You'd have to
look for one of:
AUDIT_USER_LOGOUT - User has logged out
AUDIT_USER_END - User session end
AUDIT_CRED_DISP - User credential disposed
Perhaps pam_loginuid hasn't been applied
in
/etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat}
When searching for the module, do you see something like
# grep pam_loginuid /etc/pam.d/*
/etc/pam.d/atd:session required pam_loginuid.so
/etc/pam.d/crond:session required pam_loginuid.so
/etc/pam.d/gdm:session required pam_loginuid.so
/etc/pam.d/gdm-autologin:session required pam_loginuid.so
/etc/pam.d/gdm-fingerprint:session required
pam_loginuid.so
/etc/pam.d/gdm-password:session required
pam_loginuid.so
/etc/pam.d/login:session required pam_loginuid.so
/etc/pam.d/remote:session required pam_loginuid.so
/etc/pam.d/sshd:session required pam_loginuid.so
/etc/pam.d/ssh-keycat:session required pam_loginuid.so
#
If not, then read up on how to use required pam modules.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
4:02 a.m.
Thank you !
I think you point the "missing". My first try was on debian wheezy. Now I
try on debian jessie. With jessie, all requirements seems presents and the
field auid has the right value !
type=SYSCALL msg=audit(1430989253.292:23716): arch=c000003e syscall=59
success=yes exit=0 a0=940b68 a1=a1aba8 a2=a1c008 a3=7ffd2d4978f0 items=2
ppid=16848 pid=16864 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=39 comm="ps" exe="/bin/ps"
key="auditcmd"
type=EXECVE msg=audit(1430989253.292:23716): argc=1 a0="ps"
type=CWD msg=audit(1430989253.292:23716): cwd="/etc/pam.d"
type=PATH msg=audit(1430989253.292:23716): item=0 name="/bin/ps" inode=420
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1430989253.292:23716): item=1 name=(null) inode=1478
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1430989253.292:23716): proctitle="ps"
Thank you for your help !
--
Guillaume
On Thu, May 7, 2015 at 12:13 AM, Burn Alting <burn(a)swtf.dyndns.org> wrote:
On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote:
> Hello,
>
> On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> > I'm trying to use auditd to log all actions made by the users on the
> > system. This part works fine.
> >
> > The documentation mention the "auid" field to identify the user from
the
> > first connection "even" when the user's identity changes (like
with a
su):
>
> Correct.
>
> > auid=500
> > The auid field records the Audit user ID, that is the loginuid. This
ID is
> > assigned to a user upon login and is inherited by every process even
when
> > the user's identity changes (for example, by switching user accounts
with
> > the su - john command).
> >
> > But this is not working. If I log with the user "test" (uid 1000)
when
I
> > switch to the user root, the value of auid is 0 (the uid of root).
>
> How did you switch the user? I would like to try recreating the issue.
It may
> be that the underlying implementation actually does log you out. You'd
have to
> look for one of:
>
> AUDIT_USER_LOGOUT - User has logged out
> AUDIT_USER_END - User session end
> AUDIT_CRED_DISP - User credential disposed
>
Perhaps pam_loginuid hasn't been applied
in
/etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat}
When searching for the module, do you see something like
# grep pam_loginuid /etc/pam.d/*
/etc/pam.d/atd:session required pam_loginuid.so
/etc/pam.d/crond:session required pam_loginuid.so
/etc/pam.d/gdm:session required pam_loginuid.so
/etc/pam.d/gdm-autologin:session required pam_loginuid.so
/etc/pam.d/gdm-fingerprint:session required
pam_loginuid.so
/etc/pam.d/gdm-password:session required
pam_loginuid.so
/etc/pam.d/login:session required pam_loginuid.so
/etc/pam.d/remote:session required pam_loginuid.so
/etc/pam.d/sshd:session required pam_loginuid.so
/etc/pam.d/ssh-keycat:session required pam_loginuid.so
#
If not, then read up on how to use required pam modules.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
3517
days inactive
3518
days old
linux-audit@lists.linux-audit.osci.io
3 comments
3 participants
participants (3)
-
Burn Alting -
Guillaume L. -
Steve Grubb