* auid field when switching user @ 2015-05-06 14:39 Guillaume L. 2015-05-06 14:56 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: Guillaume L. @ 2015-05-06 14:39 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 730 bytes --] Bonjour, I'm trying to use auditd to log all actions made by the users on the system. This part works fine. The documentation mention the "auid" field to identify the user from the first connection "even" when the user's identity changes (like with a su): auid=500 The auid field records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with the su - john command). But this is not working. If I log with the user "test" (uid 1000) when I switch to the user root, the value of auid is 0 (the uid of root). Did I missing something ? Thank you in advance. Regards, -- Guillaume [-- Attachment #1.2: Type: text/html, Size: 1023 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auid field when switching user 2015-05-06 14:39 auid field when switching user Guillaume L. @ 2015-05-06 14:56 ` Steve Grubb 2015-05-06 22:13 ` Burn Alting 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2015-05-06 14:56 UTC (permalink / raw) To: linux-audit Hello, On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > I'm trying to use auditd to log all actions made by the users on the > system. This part works fine. > > The documentation mention the "auid" field to identify the user from the > first connection "even" when the user's identity changes (like with a su): Correct. > auid=500 > The auid field records the Audit user ID, that is the loginuid. This ID is > assigned to a user upon login and is inherited by every process even when > the user's identity changes (for example, by switching user accounts with > the su - john command). > > But this is not working. If I log with the user "test" (uid 1000) when I > switch to the user root, the value of auid is 0 (the uid of root). How did you switch the user? I would like to try recreating the issue. It may be that the underlying implementation actually does log you out. You'd have to look for one of: AUDIT_USER_LOGOUT - User has logged out AUDIT_USER_END - User session end AUDIT_CRED_DISP - User credential disposed -Steve ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auid field when switching user 2015-05-06 14:56 ` Steve Grubb @ 2015-05-06 22:13 ` Burn Alting 2015-05-07 9:02 ` Guillaume L. 0 siblings, 1 reply; 4+ messages in thread From: Burn Alting @ 2015-05-06 22:13 UTC (permalink / raw) To: linux-audit On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote: > Hello, > > On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > > I'm trying to use auditd to log all actions made by the users on the > > system. This part works fine. > > > > The documentation mention the "auid" field to identify the user from the > > first connection "even" when the user's identity changes (like with a su): > > Correct. > > > auid=500 > > The auid field records the Audit user ID, that is the loginuid. This ID is > > assigned to a user upon login and is inherited by every process even when > > the user's identity changes (for example, by switching user accounts with > > the su - john command). > > > > But this is not working. If I log with the user "test" (uid 1000) when I > > switch to the user root, the value of auid is 0 (the uid of root). > > How did you switch the user? I would like to try recreating the issue. It may > be that the underlying implementation actually does log you out. You'd have to > look for one of: > > AUDIT_USER_LOGOUT - User has logged out > AUDIT_USER_END - User session end > AUDIT_CRED_DISP - User credential disposed > Perhaps pam_loginuid hasn't been applied in /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat} When searching for the module, do you see something like # grep pam_loginuid /etc/pam.d/* /etc/pam.d/atd:session required pam_loginuid.so /etc/pam.d/crond:session required pam_loginuid.so /etc/pam.d/gdm:session required pam_loginuid.so /etc/pam.d/gdm-autologin:session required pam_loginuid.so /etc/pam.d/gdm-fingerprint:session required pam_loginuid.so /etc/pam.d/gdm-password:session required pam_loginuid.so /etc/pam.d/login:session required pam_loginuid.so /etc/pam.d/remote:session required pam_loginuid.so /etc/pam.d/sshd:session required pam_loginuid.so /etc/pam.d/ssh-keycat:session required pam_loginuid.so # If not, then read up on how to use required pam modules. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auid field when switching user 2015-05-06 22:13 ` Burn Alting @ 2015-05-07 9:02 ` Guillaume L. 0 siblings, 0 replies; 4+ messages in thread From: Guillaume L. @ 2015-05-07 9:02 UTC (permalink / raw) To: burn; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3570 bytes --] Thank you ! I think you point the "missing". My first try was on debian wheezy. Now I try on debian jessie. With jessie, all requirements seems presents and the field auid has the right value ! type=SYSCALL msg=audit(1430989253.292:23716): arch=c000003e syscall=59 success=yes exit=0 a0=940b68 a1=a1aba8 a2=a1c008 a3=7ffd2d4978f0 items=2 ppid=16848 pid=16864 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=39 comm="ps" exe="/bin/ps" key="auditcmd" type=EXECVE msg=audit(1430989253.292:23716): argc=1 a0="ps" type=CWD msg=audit(1430989253.292:23716): cwd="/etc/pam.d" type=PATH msg=audit(1430989253.292:23716): item=0 name="/bin/ps" inode=420 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1430989253.292:23716): item=1 name=(null) inode=1478 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PROCTITLE msg=audit(1430989253.292:23716): proctitle="ps" Thank you for your help ! -- Guillaume On Thu, May 7, 2015 at 12:13 AM, Burn Alting <burn@swtf.dyndns.org> wrote: > On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote: > > Hello, > > > > On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote: > > > I'm trying to use auditd to log all actions made by the users on the > > > system. This part works fine. > > > > > > The documentation mention the "auid" field to identify the user from > the > > > first connection "even" when the user's identity changes (like with a > su): > > > > Correct. > > > > > auid=500 > > > The auid field records the Audit user ID, that is the loginuid. This > ID is > > > assigned to a user upon login and is inherited by every process even > when > > > the user's identity changes (for example, by switching user accounts > with > > > the su - john command). > > > > > > But this is not working. If I log with the user "test" (uid 1000) when > I > > > switch to the user root, the value of auid is 0 (the uid of root). > > > > How did you switch the user? I would like to try recreating the issue. > It may > > be that the underlying implementation actually does log you out. You'd > have to > > look for one of: > > > > AUDIT_USER_LOGOUT - User has logged out > > AUDIT_USER_END - User session end > > AUDIT_CRED_DISP - User credential disposed > > > > Perhaps pam_loginuid hasn't been applied > in > /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat} > > When searching for the module, do you see something like > # grep pam_loginuid /etc/pam.d/* > /etc/pam.d/atd:session required pam_loginuid.so > /etc/pam.d/crond:session required pam_loginuid.so > /etc/pam.d/gdm:session required pam_loginuid.so > /etc/pam.d/gdm-autologin:session required pam_loginuid.so > /etc/pam.d/gdm-fingerprint:session required > pam_loginuid.so > /etc/pam.d/gdm-password:session required > pam_loginuid.so > /etc/pam.d/login:session required pam_loginuid.so > /etc/pam.d/remote:session required pam_loginuid.so > /etc/pam.d/sshd:session required pam_loginuid.so > /etc/pam.d/ssh-keycat:session required pam_loginuid.so > # > > If not, then read up on how to use required pam modules. > > > > > -Steve > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > [-- Attachment #1.2: Type: text/html, Size: 4902 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-07 9:02 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-05-06 14:39 auid field when switching user Guillaume L. 2015-05-06 14:56 ` Steve Grubb 2015-05-06 22:13 ` Burn Alting 2015-05-07 9:02 ` Guillaume L.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox