From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Harris, Todd" <brian.harris@progeny.net>
Subject: user showing up as unset
Date: Mon, 9 May 2011 15:47:39 -0400
Message-ID: <4D8348804BD0AE4EB58593EA9539CFF5A192F6@es-22b.manassas.progeny.net>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0341826971526444569=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id p49JkwOw007489
	for <linux-audit@redhat.com>; Mon, 9 May 2011 15:46:58 -0400
Received: from mail.progeny.net (mail.progeny.net [69.17.18.222])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p49JkvPW008894
	for <linux-audit@redhat.com>; Mon, 9 May 2011 15:46:58 -0400
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============0341826971526444569==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01CC0E81.DB0F05BE"

This is a multi-part message in MIME format.

------_=_NextPart_001_01CC0E81.DB0F05BE
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

So I was wondering if anyone had seen this.  I have a set of nodes that
when we setup auditd on them the events we get back list the auid as
unset for basically everything except for login which shows up
correctly.  Does anyone know where I may need to look at the config,
something in PAM or else where?

_______________________________
Todd Harris
Progeny Systems
Office Number: 703-368-6107 ext517


------_=_NextPart_001_01CC0E81.DB0F05BE
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUS-ASCII">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7654.12">
<TITLE>user showing up as unset</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT =
SIZE=3D2 FACE=3D"Arial">So I was wondering if anyone had seen =
this.&nbsp; I have a set of nodes that when we setup auditd on them the =
events we get back list the auid as unset for</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT SIZE=3D2 =
FACE=3D"Arial">basically</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial"></FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"> <FONT SIZE=3D2 =
FACE=3D"Arial">everything except for login which shows up =
correctly.&nbsp; Does anyon</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">e know where I may need to look at the config, something =
in PAM or else where?</FONT></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN><A NAME=3D""><SPAN =
LANG=3D"en-us"><FONT SIZE=3D2 =
FACE=3D"Arial">_______________________________</FONT></SPAN></A></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">Todd =
Harris</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">Progeny =
Systems</FONT></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"><FONT SIZE=3D2 FACE=3D"Arial">Office =
Number: 703-368-6107 ext517</FONT></SPAN><SPAN =
LANG=3D"en-us"></SPAN><SPAN LANG=3D"en-us"></SPAN><SPAN =
LANG=3D"en-us"></SPAN></P>

<P DIR=3DLTR><SPAN LANG=3D"en-us"></SPAN></P>

</BODY>
</HTML>
------_=_NextPart_001_01CC0E81.DB0F05BE--


--===============0341826971526444569==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0341826971526444569==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: user showing up as unset
Date: Wed, 11 May 2011 10:37:54 -0400
Message-ID: <201105111037.55130.sgrubb@redhat.com>
References: <4D8348804BD0AE4EB58593EA9539CFF5A192F6@es-22b.manassas.progeny.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4D8348804BD0AE4EB58593EA9539CFF5A192F6@es-22b.manassas.progeny.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Harris, Todd" <brian.harris@progeny.net>
List-Id: linux-audit@redhat.com

On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote:
> So I was wondering if anyone had seen this.  I have a set of nodes that
> when we setup auditd on them the events we get back list the auid as
> unset for basically everything except for login which shows up
> correctly.  Does anyone know where I may need to look at the config,
> something in PAM or else where?

All entry point daemons should have a call to pam_loginuid in their pam stack. This 
would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also want audit=1 
added to the kernel boot line.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: user showing up as unset
Date: Thu, 12 May 2011 14:30:41 -0400
Message-ID: <201105121430.41800.sgrubb@redhat.com>
References: <4D8348804BD0AE4EB58593EA9539CFF5A192F6@es-22b.manassas.progeny.net>
	<201105111037.55130.sgrubb@redhat.com>
	<4D8348804BD0AE4EB58593EA9539CFF5A19351@es-22b.manassas.progeny.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4D8348804BD0AE4EB58593EA9539CFF5A19351@es-22b.manassas.progeny.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Harris, Todd" <brian.harris@progeny.net>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, May 12, 2011 02:24:29 PM Harris, Todd wrote:
> If I have a process that starts up automatically without going through
> the pam stack, and users can interact with it.  Is there any good way to
> assign a uid that the audit system can use?  Is it possible to have it
> change /proc/self/loginuid?

If the program has CAP_AUDIT_CONTROL, then it can change that value. Modify the source 
code to write the uid into that file.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Harris, Todd" <brian.harris@progeny.net>
Subject: RE: user showing up as unset
Date: Thu, 12 May 2011 15:07:17 -0400
Message-ID: <4D8348804BD0AE4EB58593EA9539CFF5A19352@es-22b.manassas.progeny.net>
References: <4D8348804BD0AE4EB58593EA9539CFF5A192F6@es-22b.manassas.progeny.net>
	<201105111037.55130.sgrubb@redhat.com>
	<4D8348804BD0AE4EB58593EA9539CFF5A19351@es-22b.manassas.progeny.net>
	<201105121430.41800.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-class: urn:content-classes:message
In-Reply-To: <201105121430.41800.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Last question on this topic I promise.
   The program is one that I have very limited control over, and it's
started by the inittab.  It is starting an xterm with "xterm -c su -
username".  Other than adding the loginuid to the su pam stack is there
any simple way to get the loginuid set to username?  

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, May 12, 2011 2:31 PM
To: Harris, Todd
Cc: linux-audit@redhat.com
Subject: Re: user showing up as unset

On Thursday, May 12, 2011 02:24:29 PM Harris, Todd wrote:
> If I have a process that starts up automatically without going through
> the pam stack, and users can interact with it.  Is there any good way
to
> assign a uid that the audit system can use?  Is it possible to have it
> change /proc/self/loginuid?

If the program has CAP_AUDIT_CONTROL, then it can change that value.
Modify the source 
code to write the uid into that file.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Harris, Todd" <brian.harris@progeny.net>
Subject: RE: user showing up as unset
Date: Thu, 12 May 2011 14:24:29 -0400
Message-ID: <4D8348804BD0AE4EB58593EA9539CFF5A19351@es-22b.manassas.progeny.net>
References: <4D8348804BD0AE4EB58593EA9539CFF5A192F6@es-22b.manassas.progeny.net>
	<201105111037.55130.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-class: urn:content-classes:message
In-Reply-To: <201105111037.55130.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

If I have a process that starts up automatically without going through
the pam stack, and users can interact with it.  Is there any good way to
assign a uid that the audit system can use?  Is it possible to have it
change /proc/self/loginuid?

	The problem isn't so much what they do with the process as it is
the fact that it allows them to call up a terminal, that terminal always
starts as a particular user, but it's loginuid isn't set.

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Wednesday, May 11, 2011 10:38 AM
To: linux-audit@redhat.com
Cc: Harris, Todd
Subject: Re: user showing up as unset

On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote:
> So I was wondering if anyone had seen this.  I have a set of nodes
that
> when we setup auditd on them the events we get back list the auid as
> unset for basically everything except for login which shows up
> correctly.  Does anyone know where I may need to look at the config,
> something in PAM or else where?

All entry point daemons should have a call to pam_loginuid in their pam
stack. This 
would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also
want audit=1 
added to the kernel boot line.

-Steve

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: user showing up as unset
Date: Fri, 13 May 2011 08:21:33 -0400
Message-ID: <201105130821.34218.sgrubb@redhat.com>
References: <4D8348804BD0AE4EB58593EA9539CFF5A192F6@es-22b.manassas.progeny.net>
	<201105121430.41800.sgrubb@redhat.com>
	<4D8348804BD0AE4EB58593EA9539CFF5A19352@es-22b.manassas.progeny.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4D8348804BD0AE4EB58593EA9539CFF5A19352@es-22b.manassas.progeny.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Harris, Todd" <brian.harris@progeny.net>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, May 12, 2011 03:07:17 PM Harris, Todd wrote:
> Last question on this topic I promise.
>    The program is one that I have very limited control over, and it's
> started by the inittab.  It is starting an xterm with "xterm -c su -
> username".  Other than adding the loginuid to the su pam stack is there
> any simple way to get the loginuid set to username?  

You should have the source code to xterm. You can change it. Its only 3 lines of code 
assuming you already did the username lookup. fopen, fwrite, fclose. Aside from that, 
you could add pam_loginuid to su's pam settings. But then you have an admin problem if 
they ever use it. So, you might want to forbid admins from using it in the pam 
settings also. Procedurally, they could use sudo.

-Steve