From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: audispd audit-remote plugin and uid, gid, euid, suid, fsuid, egid, sgid, fsgid Date: Thu, 13 Nov 2014 09:32:12 -0600 Message-ID: <5464CEFC.8020000@magitekltd.com> References: <4E8FFAAD447BD2478D75C4FAC3BD2CBF53CC9927@M30SIEEXMX02.bank.ad.pkobp.pl> <1967507.tPLZkmirFL@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3606113534122383751==" Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.21]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sADFWPG7017868 for ; Thu, 13 Nov 2014 10:32:25 -0500 Received: from mail-ob0-f179.google.com (mail-ob0-f179.google.com [209.85.214.179]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sADFWEuc029534 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Thu, 13 Nov 2014 10:32:14 -0500 Received: by mail-ob0-f179.google.com with SMTP id m8so10943120obr.24 for ; Thu, 13 Nov 2014 07:32:14 -0800 (PST) Received: from [192.168.31.226] (65-36-126-38.dyn.grandenetworks.net. [65.36.126.38]) by mx.google.com with ESMTPSA id d6sm10717389obq.4.2014.11.13.07.32.12 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Nov 2014 07:32:12 -0800 (PST) In-Reply-To: <1967507.tPLZkmirFL@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a cryptographically signed message in MIME format. --===============3606113534122383751== Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040206030602060807040902" This is a cryptographically signed message in MIME format. --------------ms040206030602060807040902 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 11/13/2014 09:01 AM, Steve Grubb wrote: > They could unless use of those utilities are restricted. You could also= setup=20 > a centralized user name management system to help things. But if you wa= nt to=20 > tackle this yourself, I think the uids, gids, and hostnames are the mai= n=20 > things that need interpreting locally. Everything else can be done afte= r the=20 > fact. This subject is one I I've griped before. I'm amazed that more people haven't mentioned this. =46rom an assurance perspective, having the human-understandable names of= the accounts is important. If auditing systems aggregate records from multiple sources, this is pretty big. Until we can easily do something like the following, this isn't dire: machine: local aggregator enterprise aggregator --------------- --------------------- =20 ----------------------------- finance sys1 -> finance sys2 -> fin. aggr \ =20 finance sys3 -> -> engineering1 -> engineering2 -> eng. aggr -> enterprise aggregator engineering3 -> marketing1 -> -> marketing2 -> mark. aggr / marketing3 -> In fact, to me, the ultimate assurance architecture would be to have the username management system reside on the local auditing aggregator with a very controlled/audited/secure interface. Then I'd interpret the uids, gids and hns there. My $0.02 FWIW, LCB --=20 LC (Lenny) Bruzenak lenny@magitekltd.com --------------ms040206030602060807040902 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEZDCC BGAwggNIoAMCAQICEwZQV0xKmXg6VpNOYV4AVY8RbPYwDQYJKoZIhvcNAQEFBQAwgYIxCzAJ BgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoTG1hS YW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENlcnRp ZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MDgxNDA5NTMyMFoXDTE1MDgxNDE1NTMyMFowcTEd MBsGA1UEAwwUbGVubnlAbWFnaXRla2x0ZC5jb20xDjAMBgNVBAoMBXNtaW1lMQ4wDAYDVQQI DAVzbWltZTELMAkGA1UEBhMCVVMxIzAhBgkqhkiG9w0BCQEWFGxlbm55QG1hZ2l0ZWtsdGQu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyk/YzpnShgUImRJTL/rtYoP4 rP3rR9A45kty5KcQ+xaq7B2M/irmosxQ96hg1LcJrh9LEG9gmAjiQK32QT9hAND47Frag3+6 4txUSuiW4Wh1Q96avqg30hC0oZvylAyaqx1DRGw1jv3UVMyBOMWG7boxWOOPqIvBK6NaQGDD j74tfb+MyjRGLpUq6IUzVhMiHX1pRXSlprS0jH0rSQQrGZIGnqRT2+LlhbU6jYcBLS7dsS38 gHaKhs5hgSsFIT0hmHvF7EqKLIpeqA4sRCdtHUrjCjRXTo4G0SYcPSHJegR9UADWWsyXaK2l VMQG/yvczd/EcrJFaeTZTxQGzBInmwIDAQABo4HeMIHbMAsGA1UdDwQEAwIFoDATBgNVHSUE DDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQUbdNQFOkqZZpvYP3Og5yjTF5MKi4wHwYDVR0jBBgw FoAUxk+iPQZjhAmczmLkBKyNXLXpthswQwYDVR0gBDwwOjA4BgpghkgBhv1kAgIBMCowKAYI KwYBBQUHAgEWHGh0dHBzOi8vc3NsLnRydXN0d2F2ZS5jb20vQ0EwMgYDVR0fBCswKTAnoCWg I4YhaHR0cDovL2NybC50cnVzdHdhdmUuY29tL1hHQ0EuY3JsMA0GCSqGSIb3DQEBBQUAA4IB AQA4p5zP1UtMZrLRslU6wXrprLWT3Rw4yeYYnayveaKb/MN9iKI95gQeAlObmSk00GU3EngH Y3EscFOYfQY9rkZCqSFSx+gc04FFBxFDrjs28McrD6MIcuFcRYLxri0QXMZ5yrkCw1sHwZHp 6R0/CvVcz7RvHREM108BAs/0SccZoTh2z9Py6IZcr+Ye3KsYpyET3Zu8Lw2VV7z24DntjMN6 3GC3pnbrLxadzxdAk5AkWo23FsNQElSJaG9PqoKV8blk1XI8dVQAtD7YBGI40sCW7VaYPZ0G tYdyGROQWMAN6gj1pUt9oeIlLbaobvq8u5Gahhc+cwMWNycKSyOQWf8eMYID7zCCA+sCAQEw gZowgYIxCzAJBgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAi BgNVBAoTG1hSYW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xv YmFsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMGUFdMSpl4OlaTTmFeAFWPEWz2MAkGBSsO AwIaBQCgggIpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0 MTExMzE1MzIxMlowIwYJKoZIhvcNAQkEMRYEFKO2kxHKtrd2liMpXFeqlFC86gueMGwGCSqG SIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggq hkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgasG CSsGAQQBgjcQBDGBnTCBmjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNl Y3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYD VQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEwZQV0xKmXg6VpNO YV4AVY8RbPYwga0GCyqGSIb3DQEJEAILMYGdoIGaMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UE CxMVd3d3LnhyYW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2 aWNlcyBJbmMxLTArBgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eQITBlBXTEqZeDpWk05hXgBVjxFs9jANBgkqhkiG9w0BAQEFAASCAQDHQVSQRHgSXoYtA11a t7KzHFXrXO+GkRYdO0jc/i1hFFNg/sEvBRWjyGxNCLxFVTUUuGFvFroJ4FMYf2RqwB+ssf12 /p0h6jTOg7GjdqlP/jVHO/Eo4MRDuwMgca/sEaLIZQEp+So+YfTvcpUmMgXqhquL8G5y7CxZ +zR/KoeJh/dImJJBWgL3GUzPhJk7DJPRpKsfFB68VPUgQiodIZj91s8NEQr/WVN89+Yvk6S+ uAk/Lz+WhlZee+eKymLrTpVrdGk87oJCdVqdVotAKa6p2ewB5RqtolK+8jdcNmX1Wf0r2m7z CvHrg/qca5jeAewxPSXYY6+FUsxDFuApHFCYAAAAAAAA --------------ms040206030602060807040902-- --===============3606113534122383751== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3606113534122383751==--