[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit-0.6.3 released



On Mon, 2005-02-21 at 13:58 -0600, Klaus Weidner wrote:
> Your code already works for me with sshd if you put pam_audit.so into the
> "session" stack:
> 
>   Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from ::ffff:172.16.204.1 port 59550 ssh2
>   Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
>   Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old loginuid=4294967295 new loginuid=500
>   Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24 loginuid=500 msg='login user=kw uid=500'
>   
>   Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
>   [kw rhel4 ~]$ cat /proc/self/loginuid 
>   500

Yes, Steve was likely assuming that it wouldn't work because we couldn't
use pam_selinux with sshd.  But that is due to the fact that we also
need to relabel the pty in pam_selinux, which is not an issue for
pam_audit.

>   session    required     pam_stack.so service=system-auth
>   session    required     pam_audit.so

Hmm...for pam_selinux, we have to bracket the pam stack with pam_selinux
close and pam_selinux open to ensure that the SELinux exec security
context is not set until _after_ all other pam modules (and their
helpers) have executed on session open and is closed _before_ all other
pam modules (and their helpers) execute on session close.  Is that a
concern for the loginuid?

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]