2:47 p.m.
So I was wondering if anyone had seen this. I have a set of nodes that
when we setup auditd on them the events we get back list the auid as
unset for basically everything except for login which shows up
correctly. Does anyone know where I may need to look at the config,
something in PAM or else where?
_______________________________
Todd Harris
Progeny Systems
Office Number: 703-368-6107 ext517
9:37 a.m.
On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote:
So I was wondering if anyone had seen this. I have a set of nodes
that
when we setup auditd on them the events we get back list the auid as
unset for basically everything except for login which shows up
correctly. Does anyone know where I may need to look at the config,
something in PAM or else where?
All entry point daemons should have a call to pam_loginuid in their pam stack. This
would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also want audit=1
added to the kernel boot line.
-Steve
1:24 p.m.
If I have a process that starts up automatically without going through
the pam stack, and users can interact with it. Is there any good way to
assign a uid that the audit system can use? Is it possible to have it
change /proc/self/loginuid?
The problem isn't so much what they do with the process as it is
the fact that it allows them to call up a terminal, that terminal always
starts as a particular user, but it's loginuid isn't set.
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Wednesday, May 11, 2011 10:38 AM
To: linux-audit(a)redhat.com
Cc: Harris, Todd
Subject: Re: user showing up as unset
On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote:
So I was wondering if anyone had seen this. I have a set of nodes
that
when we setup auditd on them the events we get back list the auid as
unset for basically everything except for login which shows up
correctly. Does anyone know where I may need to look at the config,
something in PAM or else where?
All entry point daemons should have a call to pam_loginuid in their pam
stack. This
would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also
want audit=1
added to the kernel boot line.
-Steve
1:30 p.m.
On Thursday, May 12, 2011 02:24:29 PM Harris, Todd wrote:
If I have a process that starts up automatically without going
through
the pam stack, and users can interact with it. Is there any good way to
assign a uid that the audit system can use? Is it possible to have it
change /proc/self/loginuid?
If the program has CAP_AUDIT_CONTROL, then it can change that value. Modify the source
code to write the uid into that file.
-Steve
2:07 p.m.
Last question on this topic I promise.
The program is one that I have very limited control over, and it's
started by the inittab. It is starting an xterm with "xterm -c su -
username". Other than adding the loginuid to the su pam stack is there
any simple way to get the loginuid set to username?
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, May 12, 2011 2:31 PM
To: Harris, Todd
Cc: linux-audit(a)redhat.com
Subject: Re: user showing up as unset
On Thursday, May 12, 2011 02:24:29 PM Harris, Todd wrote:
If I have a process that starts up automatically without going
through
the pam stack, and users can interact with it. Is there any good way
to
assign a uid that the audit system can use? Is it possible to have
it
change /proc/self/loginuid?
If the program has CAP_AUDIT_CONTROL, then it can change that value.
Modify the source
code to write the uid into that file.
-Steve
7:21 a.m.
On Thursday, May 12, 2011 03:07:17 PM Harris, Todd wrote:
Last question on this topic I promise.
The program is one that I have very limited control over, and it's
started by the inittab. It is starting an xterm with "xterm -c su -
username". Other than adding the loginuid to the su pam stack is there
any simple way to get the loginuid set to username?
You should have the source code to xterm. You can change it. Its only 3 lines of code
assuming you already did the username lookup. fopen, fwrite, fclose. Aside from that,
you could add pam_loginuid to su's pam settings. But then you have an admin problem if
they ever use it. So, you might want to forbid admins from using it in the pam
settings also. Procedurally, they could use sudo.
-Steve
4972
days inactive
4976
days old
linux-audit@lists.linux-audit.osci.io
5 comments
2 participants
participants (2)
-
Harris, Todd -
Steve Grubb