Audit-0.6.3 released
Klaus Weidner
kweidner at pobox.com
Mon Feb 21 19:58:43 UTC 2005
On Sun, Feb 20, 2005 at 04:26:49PM -0500, Steve Grubb wrote:
> Pam_audit was updated to write loginuid to /proc/pid/loginuid. Because of the
> way pam works, this is done in the parent process and the login uid is
> inherited by the child. This does not work for sshd because of privilege
> separation. I'll have to patch that directly.
Your code already works for me with sshd if you put pam_audit.so into the
"session" stack:
Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from ::ffff:172.16.204.1 port 59550 ssh2
Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old loginuid=4294967295 new loginuid=500
Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24 loginuid=500 msg='login user=kw uid=500'
Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
[kw at rhel4 ~]$ cat /proc/self/loginuid
500
This was using audit-0.6.3-2 and kernel-2.6.9-5.EL.audit.6, and the
following pam config:
#%PAM-1.0
#
# pam.d/sshd - pam.d/sshd configuration for EAL4/CAPP compliance
# see the Evaluated Configuration Guide for more info
#
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_audit.so
Kris, I'll send out an updated preliminary cert RPM with this change
included.
-Klaus
More information about the Linux-audit
mailing list