RedHat 6 Testing

RedHat 6 Testing

[Boyce, Kevin P (AS)]

[-- Attachment #1.1: Type: text/plain, Size: 540 bytes --]

All,

I have some puzzling behavior, can anyone shed some light here?

I have a script in cron.weekly that has a command being executed which I am auditing for execve.  That part seems to work fine. However, in the detailed audit report my user id is associated with the execution.  Root owns the files there and ultimately root is the effective UID in the record, but why am I associated with the activity at all?
Audit version is: 2.0.4-1
Kernel version is: 2.6.32-71

I did not notice this behavior in RHEL5.

Regards,
Kevin

[-- Attachment #1.2: Type: text/html, Size: 5212 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: RedHat 6 Testing

[Sean.Hollinger]

[-- Attachment #1.1: Type: text/plain, Size: 1070 bytes --]

Even if the cron is owned by root, I believe the audit records the user
id of the last user to edit the /var/spool/cron/croncrontab file (or
wherever your crontab is located). I have seen this using Solaris but I
haven't specifically noticed it with Linux.

 

Sean

 

 

From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Boyce, Kevin P (AS)
Sent: Friday, March 25, 2011 9:56 AM
To: linux-audit@redhat.com
Subject: RedHat 6 Testing

 

All,

 

I have some puzzling behavior, can anyone shed some light here?

 

I have a script in cron.weekly that has a command being executed which I
am auditing for execve.  That part seems to work fine. However, in the
detailed audit report my user id is associated with the execution.  Root
owns the files there and ultimately root is the effective UID in the
record, but why am I associated with the activity at all?

Audit version is: 2.0.4-1

Kernel version is: 2.6.32-71

 

I did not notice this behavior in RHEL5.

 

Regards,

Kevin


[-- Attachment #1.2: Type: text/html, Size: 6507 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: RedHat 6 Testing

[Boyce, Kevin P (AS)]

[-- Attachment #1.1: Type: text/plain, Size: 1716 bytes --]

I remembered that behavior with Solaris as well.  However, this should be an anacron job.  There is a text file in /var/spool/anacron/cron.weekly with the date of the last time the job was run.  The files here are also owned by root.  Nothing under /var/spool/cron.  I have also disabled SELinux.

The script I have under /etc/cron.weekly does get installed by an rpm package I made and installed (using sudo rpm -ihv).  I can't imagine the audit system queries rpm for who installed the file?

Kevin

From: Sean.Hollinger@gdc4s.com [mailto:Sean.Hollinger@gdc4s.com]
Sent: Friday, March 25, 2011 11:33 AM
To: Boyce, Kevin P (AS); linux-audit@redhat.com
Subject: EXT :RE: RedHat 6 Testing

Even if the cron is owned by root, I believe the audit records the user id of the last user to edit the /var/spool/cron/croncrontab file (or wherever your crontab is located). I have seen this using Solaris but I haven't specifically noticed it with Linux.

Sean


From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Boyce, Kevin P (AS)
Sent: Friday, March 25, 2011 9:56 AM
To: linux-audit@redhat.com
Subject: RedHat 6 Testing

All,

I have some puzzling behavior, can anyone shed some light here?

I have a script in cron.weekly that has a command being executed which I am auditing for execve.  That part seems to work fine. However, in the detailed audit report my user id is associated with the execution.  Root owns the files there and ultimately root is the effective UID in the record, but why am I associated with the activity at all?
Audit version is: 2.0.4-1
Kernel version is: 2.6.32-71

I did not notice this behavior in RHEL5.

Regards,
Kevin

[-- Attachment #1.2: Type: text/html, Size: 8380 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: RedHat 6 Testing

[Steve Grubb]

On Friday, March 25, 2011 10:55:43 am Boyce, Kevin P (AS) wrote:
> I have a script in cron.weekly that has a command being executed which I am
> auditing for execve.  That part seems to work fine. However, in the
> detailed audit report my user id is associated with the execution.  Root
> owns the files there and ultimately root is the effective UID in the
> record, but why am I associated with the activity at all?

What did pam record for the user_start?
ausearch --start today -x crond -m user_start

This should show which account the script will run under. The cron daemon should set 
the loginuid to it. That would cause all actions done by the script to be attributed 
to that user.

Also, have you restarted the cron daemon? Maybe in inheritted your account. You can 
check by this:

cat /proc/`ps -C crond -o pid= | tr -d ' '`/loginuid

-Steve

RE: EXT :Re: RedHat 6 Testing

[Boyce, Kevin P (AS)]

The ausearch records root as the UID.

The cat command returns a UID of 1386 which is my ldap account UID.

Is there a way to prevent cron from inheriting my session (perhaps by removing the session line in /etc/pam.d/crond)?

Kevin

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Friday, March 25, 2011 12:15 PM
To: linux-audit@redhat.com
Cc: Boyce, Kevin P (AS)
Subject: EXT :Re: RedHat 6 Testing

On Friday, March 25, 2011 10:55:43 am Boyce, Kevin P (AS) wrote:
> I have a script in cron.weekly that has a command being executed which I am
> auditing for execve.  That part seems to work fine. However, in the
> detailed audit report my user id is associated with the execution.  Root
> owns the files there and ultimately root is the effective UID in the
> record, but why am I associated with the activity at all?

What did pam record for the user_start?
ausearch --start today -x crond -m user_start

This should show which account the script will run under. The cron daemon should set 
the loginuid to it. That would cause all actions done by the script to be attributed 
to that user.

Also, have you restarted the cron daemon? Maybe in inheritted your account. You can 
check by this:

cat /proc/`ps -C crond -o pid= | tr -d ' '`/loginuid

-Steve

Re: EXT :Re: RedHat 6 Testing

[Steve Grubb]

On Friday, March 25, 2011 02:53:34 pm Boyce, Kevin P (AS) wrote:
> The ausearch records root as the UID.
> 
> The cat command returns a UID of 1386 which is my ldap account UID.
> 
> Is there a way to prevent cron from inheriting my session (perhaps by
> removing the session line in /etc/pam.d/crond)?

If you restarted the daemon, then it literally inherited your credentials and 
environment. The fix for this is rebooting the machine. This only happens if you 
restart sshd, crond, gdm, kdm, xdm since sessions start with them.

-Steve