Re: auditd and SSHD exported variables

Guillaume, The only way I can think of, is to write a pam module, similar to Steve's pam_loginuid. The module would need to gain the user's ssh key and use that to look up some database that maps the key to a uid. The uid can then be applied to the loginuid in the proc structure. Regards On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote: > Hello, > > > Is there a way to log with auditd exported variables through ssd ? > > > My servers are used by many users but with the same account. So, I > export the SSH_USER variable from our "bastion" (where each user has a > specific account). With this configuration I can retrieve the remote > login. > > > I use this script in /etc/profile.d/: > > > > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " " > -f2` for $USER > > > ($SSH_USER is the variable exported via SSHD) > > > The ultimate goal is to match the following log with the "remote > user" (because all users use the uid 1000 to connect to the server): > > > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59 > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2 > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls" > key="auditcmd" > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls" > > > type=CWD msg=audit(1431694892.457:37824): cwd="/root" > > > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls" > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null) > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls" > > > Thank you in advance. > > > Regards, > > > > -- > Guillaume > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit