Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* auid field when switching user
@ 2015-05-06 14:39 Guillaume L.
  2015-05-06 14:56 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: Guillaume L. @ 2015-05-06 14:39 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 730 bytes --]

Bonjour,

I'm trying to use auditd to log all actions made by the users on the
system. This part works fine.

The documentation mention the "auid" field to identify the user from the
first connection "even" when the user's identity changes (like with a su):

auid=500
The auid field records the Audit user ID, that is the loginuid. This ID is
assigned to a user upon login and is inherited by every process even when
the user's identity changes (for example, by switching user accounts with
the su - john command).

But this is not working. If I log with the user "test" (uid 1000) when I
switch to the user root, the value of auid is 0 (the uid of root).

Did I missing something ?

Thank you in advance.

Regards,

--
Guillaume

[-- Attachment #1.2: Type: text/html, Size: 1023 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: auid field when switching user
  2015-05-06 14:39 auid field when switching user Guillaume L.
@ 2015-05-06 14:56 ` Steve Grubb
  2015-05-06 22:13   ` Burn Alting
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2015-05-06 14:56 UTC (permalink / raw)
  To: linux-audit

Hello,

On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> I'm trying to use auditd to log all actions made by the users on the
> system. This part works fine.
> 
> The documentation mention the "auid" field to identify the user from the
> first connection "even" when the user's identity changes (like with a su):

Correct.

> auid=500
> The auid field records the Audit user ID, that is the loginuid. This ID is
> assigned to a user upon login and is inherited by every process even when
> the user's identity changes (for example, by switching user accounts with
> the su - john command).
> 
> But this is not working. If I log with the user "test" (uid 1000) when I
> switch to the user root, the value of auid is 0 (the uid of root).

How did you switch the user? I would like to try recreating the issue. It may 
be that the underlying implementation actually does log you out. You'd have to 
look for one of:

AUDIT_USER_LOGOUT -  User has logged out
AUDIT_USER_END - User session end
AUDIT_CRED_DISP - User credential disposed


-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: auid field when switching user
  2015-05-06 14:56 ` Steve Grubb
@ 2015-05-06 22:13   ` Burn Alting
  2015-05-07  9:02     ` Guillaume L.
  0 siblings, 1 reply; 4+ messages in thread
From: Burn Alting @ 2015-05-06 22:13 UTC (permalink / raw)
  To: linux-audit

On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote:
> Hello,
> 
> On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> > I'm trying to use auditd to log all actions made by the users on the
> > system. This part works fine.
> > 
> > The documentation mention the "auid" field to identify the user from the
> > first connection "even" when the user's identity changes (like with a su):
> 
> Correct.
> 
> > auid=500
> > The auid field records the Audit user ID, that is the loginuid. This ID is
> > assigned to a user upon login and is inherited by every process even when
> > the user's identity changes (for example, by switching user accounts with
> > the su - john command).
> > 
> > But this is not working. If I log with the user "test" (uid 1000) when I
> > switch to the user root, the value of auid is 0 (the uid of root).
> 
> How did you switch the user? I would like to try recreating the issue. It may 
> be that the underlying implementation actually does log you out. You'd have to 
> look for one of:
> 
> AUDIT_USER_LOGOUT -  User has logged out
> AUDIT_USER_END - User session end
> AUDIT_CRED_DISP - User credential disposed
>

Perhaps pam_loginuid hasn't been applied
in /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat}

When searching for the module, do you see something like
        # grep pam_loginuid /etc/pam.d/*
        /etc/pam.d/atd:session    required    pam_loginuid.so
        /etc/pam.d/crond:session    required   pam_loginuid.so
        /etc/pam.d/gdm:session    required    pam_loginuid.so
        /etc/pam.d/gdm-autologin:session    required    pam_loginuid.so
        /etc/pam.d/gdm-fingerprint:session     required
        pam_loginuid.so
        /etc/pam.d/gdm-password:session     required
        pam_loginuid.so
        /etc/pam.d/login:session    required     pam_loginuid.so
        /etc/pam.d/remote:session    required     pam_loginuid.so
        /etc/pam.d/sshd:session    required     pam_loginuid.so
        /etc/pam.d/ssh-keycat:session    required     pam_loginuid.so
        #

If not, then read up on how to use required pam modules.

> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: auid field when switching user
  2015-05-06 22:13   ` Burn Alting
@ 2015-05-07  9:02     ` Guillaume L.
  0 siblings, 0 replies; 4+ messages in thread
From: Guillaume L. @ 2015-05-07  9:02 UTC (permalink / raw)
  To: burn; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 3570 bytes --]

Thank you !

I think you point the "missing". My first try was on debian wheezy. Now I
try on debian jessie. With jessie, all requirements seems presents and the
field auid has the right value !

type=SYSCALL msg=audit(1430989253.292:23716): arch=c000003e syscall=59
success=yes exit=0 a0=940b68 a1=a1aba8 a2=a1c008 a3=7ffd2d4978f0 items=2
ppid=16848 pid=16864 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=39 comm="ps" exe="/bin/ps" key="auditcmd"
type=EXECVE msg=audit(1430989253.292:23716): argc=1 a0="ps"
type=CWD msg=audit(1430989253.292:23716):  cwd="/etc/pam.d"
type=PATH msg=audit(1430989253.292:23716): item=0 name="/bin/ps" inode=420
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1430989253.292:23716): item=1 name=(null) inode=1478
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1430989253.292:23716): proctitle="ps"


Thank you for your help !

--
Guillaume

On Thu, May 7, 2015 at 12:13 AM, Burn Alting <burn@swtf.dyndns.org> wrote:

> On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote:
> > Hello,
> >
> > On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> > > I'm trying to use auditd to log all actions made by the users on the
> > > system. This part works fine.
> > >
> > > The documentation mention the "auid" field to identify the user from
> the
> > > first connection "even" when the user's identity changes (like with a
> su):
> >
> > Correct.
> >
> > > auid=500
> > > The auid field records the Audit user ID, that is the loginuid. This
> ID is
> > > assigned to a user upon login and is inherited by every process even
> when
> > > the user's identity changes (for example, by switching user accounts
> with
> > > the su - john command).
> > >
> > > But this is not working. If I log with the user "test" (uid 1000) when
> I
> > > switch to the user root, the value of auid is 0 (the uid of root).
> >
> > How did you switch the user? I would like to try recreating the issue.
> It may
> > be that the underlying implementation actually does log you out. You'd
> have to
> > look for one of:
> >
> > AUDIT_USER_LOGOUT -  User has logged out
> > AUDIT_USER_END - User session end
> > AUDIT_CRED_DISP - User credential disposed
> >
>
> Perhaps pam_loginuid hasn't been applied
> in
> /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat}
>
> When searching for the module, do you see something like
>         # grep pam_loginuid /etc/pam.d/*
>         /etc/pam.d/atd:session    required    pam_loginuid.so
>         /etc/pam.d/crond:session    required   pam_loginuid.so
>         /etc/pam.d/gdm:session    required    pam_loginuid.so
>         /etc/pam.d/gdm-autologin:session    required    pam_loginuid.so
>         /etc/pam.d/gdm-fingerprint:session     required
>         pam_loginuid.so
>         /etc/pam.d/gdm-password:session     required
>         pam_loginuid.so
>         /etc/pam.d/login:session    required     pam_loginuid.so
>         /etc/pam.d/remote:session    required     pam_loginuid.so
>         /etc/pam.d/sshd:session    required     pam_loginuid.so
>         /etc/pam.d/ssh-keycat:session    required     pam_loginuid.so
>         #
>
> If not, then read up on how to use required pam modules.
>
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 4902 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-07  9:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-06 14:39 auid field when switching user Guillaume L.
2015-05-06 14:56 ` Steve Grubb
2015-05-06 22:13   ` Burn Alting
2015-05-07  9:02     ` Guillaume L.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox