Re: Audit-0.6.3 released
On Sun, Feb 20, 2005 at 04:26:49PM -0500, Steve Grubb wrote:
Pam_audit was updated to write loginuid to /proc/pid/loginuid.
Because of the
way pam works, this is done in the parent process and the login uid is
inherited by the child. This does not work for sshd because of privilege
separation. I'll have to patch that directly.
Your code already works for me with sshd if you put pam_audit.so into the
"session" stack:
Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from
::ffff:172.16.204.1 port 59550 ssh2
Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old
loginuid=4294967295 new loginuid=500
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24
loginuid=500 msg='login user=kw uid=500'
Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
[kw@rhel4 ~]$ cat /proc/self/loginuid
500
This was using audit-0.6.3-2 and kernel-2.6.9-5.EL.audit.6, and the
following pam config:
#%PAM-1.0
#
# pam.d/sshd - pam.d/sshd configuration for EAL4/CAPP compliance
# see the Evaluated Configuration Guide for more info
#
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_audit.so
Kris, I'll send out an updated preliminary cert RPM with this change
included.
-Klaus