* auditd and SSHD exported variables
@ 2015-05-15 13:09 Guillaume L.
2015-05-22 23:07 ` Burn Alting
0 siblings, 1 reply; 5+ messages in thread
From: Guillaume L. @ 2015-05-15 13:09 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1448 bytes --]
Hello,
Is there a way to log with auditd exported variables through ssd ?
My servers are used by many users but with the same account. So, I export
the SSH_USER variable from our "bastion" (where each user has a specific
account). With this configuration I can retrieve the remote login.
I use this script in /etc/profile.d/:
logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
$SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " " -f2`
for $USER
($SSH_USER is the variable exported via SSHD)
The ultimate goal is to match the following log with the "remote user"
(because all users use the uid 1000 to connect to the server):
type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2 ppid=30894
pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=17 comm="ls" exe="/bin/ls" key="auditcmd"
type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
type=CWD msg=audit(1431694892.457:37824): cwd="/root"
type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls" inode=157
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1431694892.457:37824): item=1 name=(null) inode=4212
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
Thank you in advance.
Regards,
--
Guillaume
[-- Attachment #1.2: Type: text/html, Size: 3033 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditd and SSHD exported variables
2015-05-15 13:09 auditd and SSHD exported variables Guillaume L.
@ 2015-05-22 23:07 ` Burn Alting
2015-05-25 7:37 ` Guillaume L.
0 siblings, 1 reply; 5+ messages in thread
From: Burn Alting @ 2015-05-22 23:07 UTC (permalink / raw)
To: Guillaume L.; +Cc: linux-audit
Guillaume,
The only way I can think of, is to write a pam module, similar to
Steve's pam_loginuid.
The module would need to gain the user's ssh key and use that to look up
some database that maps the key to a uid. The uid can then be applied to
the loginuid in the proc structure.
Regards
On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> Hello,
>
>
> Is there a way to log with auditd exported variables through ssd ?
>
>
> My servers are used by many users but with the same account. So, I
> export the SSH_USER variable from our "bastion" (where each user has a
> specific account). With this configuration I can retrieve the remote
> login.
>
>
> I use this script in /etc/profile.d/:
>
>
>
> logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> -f2` for $USER
>
>
> ($SSH_USER is the variable exported via SSHD)
>
>
> The ultimate goal is to match the following log with the "remote
> user" (because all users use the uid 1000 to connect to the server):
>
>
> type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> key="auditcmd"
> type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
>
>
> type=CWD msg=audit(1431694892.457:37824): cwd="/root"
>
>
> type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
>
>
> Thank you in advance.
>
>
> Regards,
>
>
>
> --
> Guillaume
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditd and SSHD exported variables
2015-05-22 23:07 ` Burn Alting
@ 2015-05-25 7:37 ` Guillaume L.
2015-05-25 22:09 ` Steve Grubb
0 siblings, 1 reply; 5+ messages in thread
From: Guillaume L. @ 2015-05-25 7:37 UTC (permalink / raw)
To: burn; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2386 bytes --]
Hello,
Thank you for your response.
I hoped that there are another ways to do this :)
I will explore pam to try to create a module !
--
Guillaume
On Sat, May 23, 2015 at 1:07 AM, Burn Alting <burn@swtf.dyndns.org> wrote:
> Guillaume,
>
> The only way I can think of, is to write a pam module, similar to
> Steve's pam_loginuid.
>
> The module would need to gain the user's ssh key and use that to look up
> some database that maps the key to a uid. The uid can then be applied to
> the loginuid in the proc structure.
>
> Regards
>
> On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> > Hello,
> >
> >
> > Is there a way to log with auditd exported variables through ssd ?
> >
> >
> > My servers are used by many users but with the same account. So, I
> > export the SSH_USER variable from our "bastion" (where each user has a
> > specific account). With this configuration I can retrieve the remote
> > login.
> >
> >
> > I use this script in /etc/profile.d/:
> >
> >
> >
> > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> > -f2` for $USER
> >
> >
> > ($SSH_USER is the variable exported via SSHD)
> >
> >
> > The ultimate goal is to match the following log with the "remote
> > user" (because all users use the uid 1000 to connect to the server):
> >
> >
> > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> > key="auditcmd"
> > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
> >
> >
> > type=CWD msg=audit(1431694892.457:37824): cwd="/root"
> >
> >
> > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
> >
> >
> > Thank you in advance.
> >
> >
> > Regards,
> >
> >
> >
> > --
> > Guillaume
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 3598 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditd and SSHD exported variables
2015-05-25 7:37 ` Guillaume L.
@ 2015-05-25 22:09 ` Steve Grubb
2015-05-26 11:46 ` Burn Alting
0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2015-05-25 22:09 UTC (permalink / raw)
To: linux-audit
On Monday, May 25, 2015 09:37:33 AM Guillaume L. wrote:
> Hello,
>
> Thank you for your response.
>
> I hoped that there are another ways to do this :)
>
> I will explore pam to try to create a module !
The audit system in its entirety is designed with the assumption that each
user has their own account. Its for this reason that all security guidance
asks that root logins be disallowed. (Root is typically a shared account and
you cannot tell who did what if root logins were allowed.)
I'm not sure of the use case. Perhaps it really doesn't matter to have an
audit trail. But without any knowledge of the problem that one common account
solves, I say that you might consider giving people different accounts and use
supplemental groups if they share documents.
-Steve
> On Sat, May 23, 2015 at 1:07 AM, Burn Alting <burn@swtf.dyndns.org> wrote:
> > Guillaume,
> >
> > The only way I can think of, is to write a pam module, similar to
> > Steve's pam_loginuid.
> >
> > The module would need to gain the user's ssh key and use that to look up
> > some database that maps the key to a uid. The uid can then be applied to
> > the loginuid in the proc structure.
> >
> > Regards
> >
> > On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> > > Hello,
> > >
> > >
> > > Is there a way to log with auditd exported variables through ssd ?
> > >
> > >
> > > My servers are used by many users but with the same account. So, I
> > > export the SSH_USER variable from our "bastion" (where each user has a
> > > specific account). With this configuration I can retrieve the remote
> > > login.
> > >
> > >
> > > I use this script in /etc/profile.d/:
> > >
> > >
> > >
> > > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> > > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> > > -f2` for $USER
> > >
> > >
> > > ($SSH_USER is the variable exported via SSHD)
> > >
> > >
> > > The ultimate goal is to match the following log with the "remote
> > > user" (because all users use the uid 1000 to connect to the server):
> > >
> > >
> > > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> > > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> > > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> > > key="auditcmd"
> > > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
> > >
> > >
> > > type=CWD msg=audit(1431694892.457:37824): cwd="/root"
> > >
> > >
> > > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> > > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> > > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
> > >
> > >
> > > Thank you in advance.
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > --
> > > Guillaume
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: auditd and SSHD exported variables
2015-05-25 22:09 ` Steve Grubb
@ 2015-05-26 11:46 ` Burn Alting
0 siblings, 0 replies; 5+ messages in thread
From: Burn Alting @ 2015-05-26 11:46 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Steve,
I am assuming that Guillaume has a situation where he wants to provide a
unique sshd key as a login token as opposed to a user account name token
we find in /etc/passwd (or it's equivalent). In practice, it should just
require a single level of indirection. That is map the sshd key to the
account name and then to the account's uid in some corporate repository.
Regards
On Mon, 2015-05-25 at 18:09 -0400, Steve Grubb wrote:
> On Monday, May 25, 2015 09:37:33 AM Guillaume L. wrote:
> > Hello,
> >
> > Thank you for your response.
> >
> > I hoped that there are another ways to do this :)
> >
> > I will explore pam to try to create a module !
>
> The audit system in its entirety is designed with the assumption that each
> user has their own account. Its for this reason that all security guidance
> asks that root logins be disallowed. (Root is typically a shared account and
> you cannot tell who did what if root logins were allowed.)
>
> I'm not sure of the use case. Perhaps it really doesn't matter to have an
> audit trail. But without any knowledge of the problem that one common account
> solves, I say that you might consider giving people different accounts and use
> supplemental groups if they share documents.
>
> -Steve
>
>
> > On Sat, May 23, 2015 at 1:07 AM, Burn Alting <burn@swtf.dyndns.org> wrote:
> > > Guillaume,
> > >
> > > The only way I can think of, is to write a pam module, similar to
> > > Steve's pam_loginuid.
> > >
> > > The module would need to gain the user's ssh key and use that to look up
> > > some database that maps the key to a uid. The uid can then be applied to
> > > the loginuid in the proc structure.
> > >
> > > Regards
> > >
> > > On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> > > > Hello,
> > > >
> > > >
> > > > Is there a way to log with auditd exported variables through ssd ?
> > > >
> > > >
> > > > My servers are used by many users but with the same account. So, I
> > > > export the SSH_USER variable from our "bastion" (where each user has a
> > > > specific account). With this configuration I can retrieve the remote
> > > > login.
> > > >
> > > >
> > > > I use this script in /etc/profile.d/:
> > > >
> > > >
> > > >
> > > > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> > > > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> > > > -f2` for $USER
> > > >
> > > >
> > > > ($SSH_USER is the variable exported via SSHD)
> > > >
> > > >
> > > > The ultimate goal is to match the following log with the "remote
> > > > user" (because all users use the uid 1000 to connect to the server):
> > > >
> > > >
> > > > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> > > > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> > > > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> > > > key="auditcmd"
> > > > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
> > > >
> > > >
> > > > type=CWD msg=audit(1431694892.457:37824): cwd="/root"
> > > >
> > > >
> > > > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> > > > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> > > > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
> > > >
> > > >
> > > > Thank you in advance.
> > > >
> > > >
> > > > Regards,
> > > >
> > > >
> > > >
> > > > --
> > > > Guillaume
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-05-26 11:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-15 13:09 auditd and SSHD exported variables Guillaume L.
2015-05-22 23:07 ` Burn Alting
2015-05-25 7:37 ` Guillaume L.
2015-05-25 22:09 ` Steve Grubb
2015-05-26 11:46 ` Burn Alting
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox