Audit-0.6.3 released
Klaus Weidner
klaus at atsec.com
Mon Feb 21 20:55:38 UTC 2005
On Mon, Feb 21, 2005 at 03:18:55PM -0500, Valdis.Kletnieks at vt.edu wrote:
> On Sun, 20 Feb 2005 16:26:49 EST, Steve Grubb said:
> > Pam_audit was updated to write loginuid to /proc/pid/loginuid.
> > Because of the way pam works, this is done in the parent process and
> > the login uid is inherited by the child. This does not work for sshd
> > because of privilege separation. I'll have to patch that directly.
>
> OK, I'm a PAM idiot, and the manpage doesn't help much...
>
> It's unclear where pam_audit should be placed relative to other pam
> exits.
Try the following:
*** login
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_audit.so
session required pam_selinux.so multiple open
*** sshd
session required pam_stack.so service=system-auth
session required pam_audit.so
> For that matter, it's unclear if I can just stick it in the system-auth
> that gets included by everybody. Are there any cases where we *don't*
> want it in there?
You don't want a new login UID assigned if someone uses 'su', 'sudo' or
equivalent (that's the entire point of having a login UID maintained
separately), so putting it into system-auth is not a good idea.
-Klaus
More information about the Linux-audit
mailing list