From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: audisp-prelude login question Date: Thu, 30 Oct 2008 09:29:12 -0500 Message-ID: <1225376952.9388.341.camel@homeserver> References: <1225333698.9388.287.camel@homeserver> <200810300634.15594.sgrubb@redhat.com> <1225370817.9388.306.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m9UGbmGp026858 for ; Thu, 30 Oct 2008 12:42:12 -0400 Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m9UETE4I025793 for ; Thu, 30 Oct 2008 10:29:30 -0400 Received: from [24.242.137.194] (helo=[192.168.30.40]) by mail.magitekltd.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1KvYWD-0005Pu-Va for linux-audit@redhat.com; Thu, 30 Oct 2008 09:29:02 -0500 In-Reply-To: <1225370817.9388.306.camel@homeserver> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com On Thu, 2008-10-30 at 07:46 -0500, LC Bruzenak wrote: > On Thu, 2008-10-30 at 06:34 -0400, Steve Grubb wrote: > > > > Nope...somewhere the pam originating events are being eaten. You might strace > > an xdm login and look for some sendto's followed immediately by recvfrom's to > > the audit socket. If they are missing entirely, then xdm is not calling pam. > > If they are there, we'd want to look at the return code to see if its having > > an error. Is xdm running as root at the point pam is called? Are there > > selinux rules? Are there dontaudit rules eating this? > > I removed the dontaudits with semodule -DB and the events are still not there. So I don't think my policy is eating them. Also no strace joy yet because it looks like xdm launches something else which does the authentication. So I went back to the gdm session which audits. I thought if I could see the strace from that I'd know what to look for on the failing one. Here is the USER_LOGIN event: node=hugo type=USER_LOGIN msg=audit(10/30/2008 08:55:53.356:278784) : user pid=7417 uid=root auid=lenny subj=system_u:system_r:xdm_t:s0-s15:c0.c1023 msg='uid=lenny exe=/usr/libexec/gdm-session-worker (hostname=, addr=?, terminal=/dev/tty7 res=success)' So I attached strace to the running "gdm-session-worker" process but that strace isn't particularly insightful (to me at least). How do I know which one is the audit socket? I ran a known audit test program and there I could deduce the audit socket because I could see the text I was sending in the strace; e.g.: sendto(4, "\274\0\0\0a\4\5\0\1\0\0\0\0\0\0\0real-pri=2, real"..., 188, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 188 But looking earlier in the strace doesn't give me much clue as to FD=4 being the audit socket. Any suggestions are welcome; thanks again for the help! LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com