Audit-0.6.3 released
Stephen Smalley
sds at tycho.nsa.gov
Tue Feb 22 14:08:35 UTC 2005
On Mon, 2005-02-21 at 13:58 -0600, Klaus Weidner wrote:
> Your code already works for me with sshd if you put pam_audit.so into the
> "session" stack:
>
> Feb 21 13:46:09 rhel4 sshd[2806]: Accepted keyboard-interactive/pam for kw from ::ffff:172.16.204.1 port 59550 ssh2
> Feb 21 13:46:09 rhel4 sshd(pam_unix)[2809]: session opened for user kw by (uid=0)
> Feb 21 13:46:09 rhel4 kernel: audit(1109015169.528:0): login pid=0 uid=0 old loginuid=4294967295 new loginuid=500
> Feb 21 13:46:09 rhel4 kernel: audit(1109015169.530:0): user pid=2809 uid=0 length=24 loginuid=500 msg='login user=kw uid=500'
>
> Last login: Mon Feb 21 13:43:12 2005 from 172.16.204.1
> [kw at rhel4 ~]$ cat /proc/self/loginuid
> 500
Yes, Steve was likely assuming that it wouldn't work because we couldn't
use pam_selinux with sshd. But that is due to the fact that we also
need to relabel the pty in pam_selinux, which is not an issue for
pam_audit.
> session required pam_stack.so service=system-auth
> session required pam_audit.so
Hmm...for pam_selinux, we have to bracket the pam stack with pam_selinux
close and pam_selinux open to ensure that the SELinux exec security
context is not set until _after_ all other pam modules (and their
helpers) have executed on session open and is closed _before_ all other
pam modules (and their helpers) execute on session close. Is that a
concern for the loginuid?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list