From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Boyce, Kevin P (AS)" Subject: RedHat 6 Testing Date: Fri, 25 Mar 2011 14:55:43 +0000 Message-ID: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6158497600750151806==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p2PEtqFU004727 for ; Fri, 25 Mar 2011 10:55:52 -0400 Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p2PEtlnB015815 for ; Fri, 25 Mar 2011 10:55:47 -0400 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============6158497600750151806== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_5CB21FE316752445AF212D47C8BE56110A19C415XMBVAG75northgr_" --_000_5CB21FE316752445AF212D47C8BE56110A19C415XMBVAG75northgr_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable All, I have some puzzling behavior, can anyone shed some light here? I have a script in cron.weekly that has a command being executed which I am= auditing for execve. That part seems to work fine. However, in the detail= ed audit report my user id is associated with the execution. Root owns the= files there and ultimately root is the effective UID in the record, but wh= y am I associated with the activity at all? Audit version is: 2.0.4-1 Kernel version is: 2.6.32-71 I did not notice this behavior in RHEL5. Regards, Kevin --_000_5CB21FE316752445AF212D47C8BE56110A19C415XMBVAG75northgr_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

All,

 

I have some puzzling behavior, can anyone shed some = light here?

 

I have a script in cron.weekly that has a command be= ing executed which I am auditing for execve.  That part seems to work = fine. However, in the detailed audit report my user id is associated with t= he execution.  Root owns the files there and ultimately root is the effective UID in the record, but why am I assoc= iated with the activity at all?

Audit version is: 2.0.4-1

Kernel version is: 2.6.32-71

 

I did not notice this behavior in RHEL5.<= /p>

 

Regards,

Kevin

--_000_5CB21FE316752445AF212D47C8BE56110A19C415XMBVAG75northgr_-- --===============6158497600750151806== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6158497600750151806==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: RE: RedHat 6 Testing Date: Fri, 25 Mar 2011 08:32:40 -0700 Message-ID: <5E2837B0EB8E1E47850371AE558090B604D112FC@AZ25EXM03.gddsi.com> References: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3886884810866865281==" Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p2PFXAnb010350 for ; Fri, 25 Mar 2011 11:33:10 -0400 Received: from AZ25EGS03.gdc4s.com (az25egs03.gdc4s.com [63.226.32.82]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p2PFX5eM027858 for ; Fri, 25 Mar 2011 11:33:05 -0400 Content-class: urn:content-classes:message In-reply-to: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Kevin.Boyce@ngc.com, linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============3886884810866865281== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CBEB01.E11EFEBC" This is a multi-part message in MIME format. ------_=_NextPart_001_01CBEB01.E11EFEBC Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Even if the cron is owned by root, I believe the audit records the user id of the last user to edit the /var/spool/cron/croncrontab file (or wherever your crontab is located). I have seen this using Solaris but I haven't specifically noticed it with Linux. =20 Sean =20 =20 From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Boyce, Kevin P (AS) Sent: Friday, March 25, 2011 9:56 AM To: linux-audit@redhat.com Subject: RedHat 6 Testing =20 All, =20 I have some puzzling behavior, can anyone shed some light here? =20 I have a script in cron.weekly that has a command being executed which I am auditing for execve. That part seems to work fine. However, in the detailed audit report my user id is associated with the execution. Root owns the files there and ultimately root is the effective UID in the record, but why am I associated with the activity at all? Audit version is: 2.0.4-1 Kernel version is: 2.6.32-71 =20 I did not notice this behavior in RHEL5. =20 Regards, Kevin ------_=_NextPart_001_01CBEB01.E11EFEBC Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Even if the cron is owned by root, I believe the = audit records the user id of the last user to edit the = /var/spool/cron/croncrontab file (or wherever your crontab is located). = I have seen this using Solaris but I haven’t specifically noticed = it with Linux.

 

Sean

 

 

From:= = linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] = On Behalf Of Boyce, Kevin P (AS)
Sent: Friday, March = 25, 2011 9:56 AM
To: linux-audit@redhat.com
Subject: = RedHat 6 Testing

 

All,

 

I have some = puzzling behavior, can anyone shed some light here?

 

I have a = script in cron.weekly that has a command being executed which I am = auditing for execve.  That part seems to work fine. However, in the = detailed audit report my user id is associated with the execution.  = Root owns the files there and ultimately root is the effective UID in = the record, but why am I associated with the activity at = all?

Audit version is: = 2.0.4-1

Kernel version is: = 2.6.32-71

 

I did not notice this behavior in = RHEL5.

 

Regards,

Kevin

------_=_NextPart_001_01CBEB01.E11EFEBC-- --===============3886884810866865281== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3886884810866865281==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Boyce, Kevin P (AS)" Subject: RE: RedHat 6 Testing Date: Fri, 25 Mar 2011 15:39:29 +0000 Message-ID: <5CB21FE316752445AF212D47C8BE56110A19C449@XMBVAG75.northgrum.com> References: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> <5E2837B0EB8E1E47850371AE558090B604D112FC@AZ25EXM03.gddsi.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1180436991826991035==" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p2PFdc2i022130 for ; Fri, 25 Mar 2011 11:39:38 -0400 Received: from northgrum.com (xspv0101.northgrum.com [134.223.120.76]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p2PFda8P031406 for ; Fri, 25 Mar 2011 11:39:36 -0400 In-Reply-To: <5E2837B0EB8E1E47850371AE558090B604D112FC@AZ25EXM03.gddsi.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Sean.Hollinger@gdc4s.com" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============1180436991826991035== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_5CB21FE316752445AF212D47C8BE56110A19C449XMBVAG75northgr_" --_000_5CB21FE316752445AF212D47C8BE56110A19C449XMBVAG75northgr_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I remembered that behavior with Solaris as well. However, this should be a= n anacron job. There is a text file in /var/spool/anacron/cron.weekly with= the date of the last time the job was run. The files here are also owned = by root. Nothing under /var/spool/cron. I have also disabled SELinux. The script I have under /etc/cron.weekly does get installed by an rpm packa= ge I made and installed (using sudo rpm -ihv). I can't imagine the audit s= ystem queries rpm for who installed the file? Kevin From: Sean.Hollinger@gdc4s.com [mailto:Sean.Hollinger@gdc4s.com] Sent: Friday, March 25, 2011 11:33 AM To: Boyce, Kevin P (AS); linux-audit@redhat.com Subject: EXT :RE: RedHat 6 Testing Even if the cron is owned by root, I believe the audit records the user id = of the last user to edit the /var/spool/cron/croncrontab file (or wherever = your crontab is located). I have seen this using Solaris but I haven't spec= ifically noticed it with Linux. Sean From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com= ] On Behalf Of Boyce, Kevin P (AS) Sent: Friday, March 25, 2011 9:56 AM To: linux-audit@redhat.com Subject: RedHat 6 Testing All, I have some puzzling behavior, can anyone shed some light here? I have a script in cron.weekly that has a command being executed which I am= auditing for execve. That part seems to work fine. However, in the detail= ed audit report my user id is associated with the execution. Root owns the= files there and ultimately root is the effective UID in the record, but wh= y am I associated with the activity at all? Audit version is: 2.0.4-1 Kernel version is: 2.6.32-71 I did not notice this behavior in RHEL5. Regards, Kevin --_000_5CB21FE316752445AF212D47C8BE56110A19C449XMBVAG75northgr_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I remembered that beha= vior with Solaris as well.  However, this should be an anacron job.&nb= sp; There is a text file in /var/spool/anacron/cron.weekly with the date of= the last time the job was run.  The files here are also owned by root.  Nothing under /var/spool/cron.  I have = also disabled SELinux.

 

The script I have unde= r /etc/cron.weekly does get installed by an rpm package I made and installe= d (using sudo rpm –ihv).  I can’t imagine the audit system= queries rpm for who installed the file?

 

Kevin

 

From: Sean.Hol= linger@gdc4s.com [mailto:Sean.Hollinger@gdc4s.com]
Sent: Friday, March 25, 2011 11:33 AM
To: Boyce, Kevin P (AS); linux-audit@redhat.com
Subject: EXT :RE: RedHat 6 Testing

 

Even if the cron is ow= ned by root, I believe the audit records the user id of the last user to ed= it the /var/spool/cron/croncrontab file (or wherever your crontab is locate= d). I have seen this using Solaris but I haven’t specifically noticed it with Linux.

 

Sean=

 

 

From: linux-au= dit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Boyce, Kevin P (AS)
Sent: Friday, March 25, 2011 9:56 AM
To: linux-audit@redhat.com
Subject: RedHat 6 Testing

 

All,

 

I have some puzzling behavior, can anyone shed some = light here?

 

I have a script in cron.weekly that has a command be= ing executed which I am auditing for execve.  That part seems to work = fine. However, in the detailed audit report my user id is associated with t= he execution.  Root owns the files there and ultimately root is the effective UID in the record, but why am I assoc= iated with the activity at all?

Audit version is: 2.0.4-1

Kernel version is: 2.6.32-71

 

I did not notice this behavior in RHEL5.<= /p>

 

Regards,

Kevin

--_000_5CB21FE316752445AF212D47C8BE56110A19C449XMBVAG75northgr_-- --===============1180436991826991035== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1180436991826991035==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: RedHat 6 Testing Date: Fri, 25 Mar 2011 12:15:17 -0400 Message-ID: <201103251215.18175.sgrubb@redhat.com> References: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, March 25, 2011 10:55:43 am Boyce, Kevin P (AS) wrote: > I have a script in cron.weekly that has a command being executed which I am > auditing for execve. That part seems to work fine. However, in the > detailed audit report my user id is associated with the execution. Root > owns the files there and ultimately root is the effective UID in the > record, but why am I associated with the activity at all? What did pam record for the user_start? ausearch --start today -x crond -m user_start This should show which account the script will run under. The cron daemon should set the loginuid to it. That would cause all actions done by the script to be attributed to that user. Also, have you restarted the cron daemon? Maybe in inheritted your account. You can check by this: cat /proc/`ps -C crond -o pid= | tr -d ' '`/loginuid -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Boyce, Kevin P (AS)" Subject: RE: EXT :Re: RedHat 6 Testing Date: Fri, 25 Mar 2011 18:53:34 +0000 Message-ID: <5CB21FE316752445AF212D47C8BE56110A19C4B0@XMBVAG75.northgrum.com> References: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> <201103251215.18175.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <201103251215.18175.sgrubb@redhat.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com The ausearch records root as the UID. The cat command returns a UID of 1386 which is my ldap account UID. Is there a way to prevent cron from inheriting my session (perhaps by removing the session line in /etc/pam.d/crond)? Kevin -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Friday, March 25, 2011 12:15 PM To: linux-audit@redhat.com Cc: Boyce, Kevin P (AS) Subject: EXT :Re: RedHat 6 Testing On Friday, March 25, 2011 10:55:43 am Boyce, Kevin P (AS) wrote: > I have a script in cron.weekly that has a command being executed which I am > auditing for execve. That part seems to work fine. However, in the > detailed audit report my user id is associated with the execution. Root > owns the files there and ultimately root is the effective UID in the > record, but why am I associated with the activity at all? What did pam record for the user_start? ausearch --start today -x crond -m user_start This should show which account the script will run under. The cron daemon should set the loginuid to it. That would cause all actions done by the script to be attributed to that user. Also, have you restarted the cron daemon? Maybe in inheritted your account. You can check by this: cat /proc/`ps -C crond -o pid= | tr -d ' '`/loginuid -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: EXT :Re: RedHat 6 Testing Date: Fri, 25 Mar 2011 17:38:21 -0400 Message-ID: <201103251738.21527.sgrubb@redhat.com> References: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com> <201103251215.18175.sgrubb@redhat.com> <5CB21FE316752445AF212D47C8BE56110A19C4B0@XMBVAG75.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5CB21FE316752445AF212D47C8BE56110A19C4B0@XMBVAG75.northgrum.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Boyce, Kevin P (AS)" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Friday, March 25, 2011 02:53:34 pm Boyce, Kevin P (AS) wrote: > The ausearch records root as the UID. > > The cat command returns a UID of 1386 which is my ldap account UID. > > Is there a way to prevent cron from inheriting my session (perhaps by > removing the session line in /etc/pam.d/crond)? If you restarted the daemon, then it literally inherited your credentials and environment. The fix for this is rebooting the machine. This only happens if you restart sshd, crond, gdm, kdm, xdm since sessions start with them. -Steve