From mboxrd@z Thu Jan  1 00:00:00 1970
From: LC Bruzenak <lenny@magitekltd.com>
Subject: uid<-->username question
Date: Thu, 05 Mar 2009 10:08:43 -0600
Message-ID: <1236269323.7212.439.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n25G93dh013179
	for <linux-audit@redhat.com>; Thu, 5 Mar 2009 11:09:03 -0500
Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com
	[24.242.137.197])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n25G8isH006250
	for <linux-audit@redhat.com>; Thu, 5 Mar 2009 11:08:45 -0500
Received: from [24.242.137.194] (helo=[192.168.30.40])
	by mail.magitekltd.com with esmtpsa
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63)
	(envelope-from <lenny@magitekltd.com>) id 1LfG7J-0001P4-AJ
	for linux-audit@redhat.com; Thu, 05 Mar 2009 10:08:13 -0600
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

All,

I was thinking about a scheme to retrieve usernames from UIDs on
different machines. I was going to push the passwd file from a
participating audit client up to the server. Then I'll store it uniquely
according to its IP address (e.g. /var/etc/passwd.192.168.10.10). 

Then, I'd change the parse code which looks up the username from
getpwuid().

In the case where the host was localhost, I'd still use the getpwuid()
call. In the case where it is another host, I'd use fgetpwent() on the
particular host's passwd file.
I see that the name-value cache will have to be modified or maybe a
UID/hostname/username triplet cache will need to be used instead for
UIDs.

On the sender, I was thinking that I already have an excellent
audit-based file watch in place. Ideally, on a /etc/passwd addition, I'd
like to fire a rule to automatically send the modified hosts file up to
the collector machine.

Any thoughts on this? I realize in most systems an LDAP server is
adequate for federated logins and no code changes or schemes are
necessary. I do not have this and likely never will given my
environment. I also have to ensure that the participating systems do not
reuse old UIDs or remove expired ones from their password file.

I also realize this code change may be of little use to the general
community, but if I do this and others have similar restrictions I'd be
happy to share what I do.

Thx in advance,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com