Re: Audit-0.6.3 released
On Mon, Feb 21, 2005 at 03:18:55PM -0500, Valdis.Kletnieks(a)vt.edu wrote:
On Sun, 20 Feb 2005 16:26:49 EST, Steve Grubb said:
> Pam_audit was updated to write loginuid to /proc/pid/loginuid.
> Because of the way pam works, this is done in the parent process and
> the login uid is inherited by the child. This does not work for sshd
> because of privilege separation. I'll have to patch that directly.
OK, I'm a PAM idiot, and the manpage doesn't help much...
It's unclear where pam_audit should be placed relative to other pam
exits.
Try the following:
*** login
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_audit.so
session required pam_selinux.so multiple open
*** sshd
session required pam_stack.so service=system-auth
session required pam_audit.so
For that matter, it's unclear if I can just stick it in the
system-auth
that gets included by everybody. Are there any cases where we *don't*
want it in there?
You don't want a new login UID assigned if someone uses 'su', 'sudo'
or
equivalent (that's the entire point of having a login UID maintained
separately), so putting it into system-auth is not a good idea.
-Klaus