[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit-0.6.3 released



On Sun, Feb 20, 2005 at 04:26:49PM -0500, Steve Grubb wrote:
> Pam_audit was updated to write loginuid to /proc/pid/loginuid. Because of the 
> way pam works, this is done in the parent process and the login uid is 
> inherited by the child. This does not work for sshd because of privilege 
> separation. I'll have to patch that directly.

Your code already works for me with sshd if you put pam_audit.so into the
"session" stack:

  Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from ::ffff:172.16.204.1 port 59550 ssh2
  Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
  Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old loginuid=4294967295 new loginuid=500
  Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24 loginuid=500 msg='login user=kw uid=500'
  
  Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
  [kw rhel4 ~]$ cat /proc/self/loginuid 
  500

This was using audit-0.6.3-2 and kernel-2.6.9-5.EL.audit.6, and the
following pam config:

  #%PAM-1.0
  #
  #  pam.d/sshd - pam.d/sshd configuration for EAL4/CAPP compliance
  #               see the Evaluated Configuration Guide for more info
  #
  
  auth       required     pam_stack.so service=system-auth
  auth       required     pam_nologin.so
  
  account    required     pam_stack.so service=system-auth
  
  password   required     pam_stack.so service=system-auth
  
  session    required     pam_stack.so service=system-auth
  session    required     pam_audit.so

Kris, I'll send out an updated preliminary cert RPM with this change
included.

-Klaus


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]