auditd and SSHD exported variables

Burn Alting burn at swtf.dyndns.org
Fri May 22 23:07:54 UTC 2015


Guillaume,

The only way I can think of, is  to write a pam module, similar to
Steve's pam_loginuid.

The module would need to gain the user's ssh key and use that to look up
some database that maps the key to a uid. The uid can then be applied to
the loginuid in the proc structure.

Regards

On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> Hello,
> 
> 
> Is there a way to log with auditd exported variables through ssd ? 
> 
> 
> My servers are used by many users but with the same account. So, I
> export the SSH_USER variable from our "bastion" (where each user has a
> specific account). With this configuration I can retrieve the remote
> login.
> 
> 
> I use this script in /etc/profile.d/:
>                                                      
> 
> 
> logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> -f2` for $USER
> 
> 
> ($SSH_USER is the variable exported via SSHD)
> 
> 
> The ultimate goal is to match the following log with the "remote
> user" (because all users use the uid 1000 to connect to the server):
> 
> 
> type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> key="auditcmd"                   
> type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
> 
>         
> type=CWD msg=audit(1431694892.457:37824):  cwd="/root"
> 
>          
> type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL          
> type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL            
> type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
> 
> 
> Thank you in advance.
> 
> 
> Regards,
> 
> 
> 
> --
> Guillaume
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit





More information about the Linux-audit mailing list