Re: audisp-prelude login question
On Thu, 2008-10-30 at 07:46 -0500, LC Bruzenak wrote:
On Thu, 2008-10-30 at 06:34 -0400, Steve Grubb wrote:
>
> Nope...somewhere the pam originating events are being eaten. You might strace
> an xdm login and look for some sendto's followed immediately by recvfrom's
to
> the audit socket. If they are missing entirely, then xdm is not calling pam.
> If they are there, we'd want to look at the return code to see if its having
> an error. Is xdm running as root at the point pam is called? Are there
> selinux rules? Are there dontaudit rules eating this?
>
I removed the dontaudits with semodule -DB and the events are still not
there. So I don't think my policy is eating them.
Also no strace joy yet because it looks like xdm launches something else
which does the authentication.
So I went back to the gdm session which audits. I thought if I could see
the strace from that I'd know what to look for on the failing one. Here
is the USER_LOGIN event:
node=hugo type=USER_LOGIN msg=audit(10/30/2008 08:55:53.356:278784) : user pid=7417
uid=root auid=lenny subj=system_u:system_r:xdm_t:s0-s15:c0.c1023 msg='uid=lenny
exe=/usr/libexec/gdm-session-worker (hostname=, addr=?, terminal=/dev/tty7
res=success)'
So I attached strace to the running "gdm-session-worker" process but
that strace isn't particularly insightful (to me at least). How do I
know which one is the audit socket?
I ran a known audit test program and there I could deduce the audit
socket because I could see the text I was sending in the strace; e.g.:
sendto(4, "\274\0\0\0a\4\5\0\1\0\0\0\0\0\0\0real-pri=2, real"..., 188, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 188
But looking earlier in the strace doesn't give me much clue as to FD=4
being the audit socket.
Any suggestions are welcome; thanks again for the help!
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com