user showing up as unset

user showing up as unset

[Harris, Todd]

[-- Attachment #1.1: Type: text/plain, Size: 413 bytes --]

So I was wondering if anyone had seen this.  I have a set of nodes that
when we setup auditd on them the events we get back list the auid as
unset for basically everything except for login which shows up
correctly.  Does anyone know where I may need to look at the config,
something in PAM or else where?

_______________________________
Todd Harris
Progeny Systems
Office Number: 703-368-6107 ext517


[-- Attachment #1.2: Type: text/html, Size: 1759 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: user showing up as unset

[Steve Grubb]

On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote:
> So I was wondering if anyone had seen this.  I have a set of nodes that
> when we setup auditd on them the events we get back list the auid as
> unset for basically everything except for login which shows up
> correctly.  Does anyone know where I may need to look at the config,
> something in PAM or else where?

All entry point daemons should have a call to pam_loginuid in their pam stack. This 
would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also want audit=1 
added to the kernel boot line.

-Steve

RE: user showing up as unset

[Harris, Todd]

If I have a process that starts up automatically without going through
the pam stack, and users can interact with it.  Is there any good way to
assign a uid that the audit system can use?  Is it possible to have it
change /proc/self/loginuid?

	The problem isn't so much what they do with the process as it is
the fact that it allows them to call up a terminal, that terminal always
starts as a particular user, but it's loginuid isn't set.

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Wednesday, May 11, 2011 10:38 AM
To: linux-audit@redhat.com
Cc: Harris, Todd
Subject: Re: user showing up as unset

On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote:
> So I was wondering if anyone had seen this.  I have a set of nodes
that
> when we setup auditd on them the events we get back list the auid as
> unset for basically everything except for login which shows up
> correctly.  Does anyone know where I may need to look at the config,
> something in PAM or else where?

All entry point daemons should have a call to pam_loginuid in their pam
stack. This 
would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also
want audit=1 
added to the kernel boot line.

-Steve

Re: user showing up as unset

[Steve Grubb]

On Thursday, May 12, 2011 02:24:29 PM Harris, Todd wrote:
> If I have a process that starts up automatically without going through
> the pam stack, and users can interact with it.  Is there any good way to
> assign a uid that the audit system can use?  Is it possible to have it
> change /proc/self/loginuid?

If the program has CAP_AUDIT_CONTROL, then it can change that value. Modify the source 
code to write the uid into that file.

-Steve

RE: user showing up as unset

[Harris, Todd]

Last question on this topic I promise.
   The program is one that I have very limited control over, and it's
started by the inittab.  It is starting an xterm with "xterm -c su -
username".  Other than adding the loginuid to the su pam stack is there
any simple way to get the loginuid set to username?  

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, May 12, 2011 2:31 PM
To: Harris, Todd
Cc: linux-audit@redhat.com
Subject: Re: user showing up as unset

On Thursday, May 12, 2011 02:24:29 PM Harris, Todd wrote:
> If I have a process that starts up automatically without going through
> the pam stack, and users can interact with it.  Is there any good way
to
> assign a uid that the audit system can use?  Is it possible to have it
> change /proc/self/loginuid?

If the program has CAP_AUDIT_CONTROL, then it can change that value.
Modify the source 
code to write the uid into that file.

-Steve

Re: user showing up as unset

[Steve Grubb]

On Thursday, May 12, 2011 03:07:17 PM Harris, Todd wrote:
> Last question on this topic I promise.
>    The program is one that I have very limited control over, and it's
> started by the inittab.  It is starting an xterm with "xterm -c su -
> username".  Other than adding the loginuid to the su pam stack is there
> any simple way to get the loginuid set to username?  

You should have the source code to xterm. You can change it. Its only 3 lines of code 
assuming you already did the username lookup. fopen, fwrite, fclose. Aside from that, 
you could add pam_loginuid to su's pam settings. But then you have an admin problem if 
they ever use it. So, you might want to forbid admins from using it in the pam 
settings also. Procedurally, they could use sudo.

-Steve