auid field when switching user

Guillaume L. snnijd at gmail.com
Thu May 7 09:02:25 UTC 2015 

Thank you !

I think you point the "missing". My first try was on debian wheezy. Now I
try on debian jessie. With jessie, all requirements seems presents and the
field auid has the right value !

type=SYSCALL msg=audit(1430989253.292:23716): arch=c000003e syscall=59
success=yes exit=0 a0=940b68 a1=a1aba8 a2=a1c008 a3=7ffd2d4978f0 items=2
ppid=16848 pid=16864 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=39 comm="ps" exe="/bin/ps" key="auditcmd"
type=EXECVE msg=audit(1430989253.292:23716): argc=1 a0="ps"
type=CWD msg=audit(1430989253.292:23716):  cwd="/etc/pam.d"
type=PATH msg=audit(1430989253.292:23716): item=0 name="/bin/ps" inode=420
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PATH msg=audit(1430989253.292:23716): item=1 name=(null) inode=1478
dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1430989253.292:23716): proctitle="ps"


Thank you for your help !

--
Guillaume

On Thu, May 7, 2015 at 12:13 AM, Burn Alting <burn at swtf.dyndns.org> wrote:

> On Wed, 2015-05-06 at 10:56 -0400, Steve Grubb wrote:
> > Hello,
> >
> > On Wednesday, May 06, 2015 04:39:16 PM Guillaume L. wrote:
> > > I'm trying to use auditd to log all actions made by the users on the
> > > system. This part works fine.
> > >
> > > The documentation mention the "auid" field to identify the user from
> the
> > > first connection "even" when the user's identity changes (like with a
> su):
> >
> > Correct.
> >
> > > auid=500
> > > The auid field records the Audit user ID, that is the loginuid. This
> ID is
> > > assigned to a user upon login and is inherited by every process even
> when
> > > the user's identity changes (for example, by switching user accounts
> with
> > > the su - john command).
> > >
> > > But this is not working. If I log with the user "test" (uid 1000) when
> I
> > > switch to the user root, the value of auid is 0 (the uid of root).
> >
> > How did you switch the user? I would like to try recreating the issue.
> It may
> > be that the underlying implementation actually does log you out. You'd
> have to
> > look for one of:
> >
> > AUDIT_USER_LOGOUT -  User has logged out
> > AUDIT_USER_END - User session end
> > AUDIT_CRED_DISP - User credential disposed
> >
>
> Perhaps pam_loginuid hasn't been applied
> in
> /etc/pam.d/{atd,crond,gdm,gdm-autologin,gdm-fingerprint,gdm-password,login,remote,sshd,ssh-keycat}
>
> When searching for the module, do you see something like
>         # grep pam_loginuid /etc/pam.d/*
>         /etc/pam.d/atd:session    required    pam_loginuid.so
>         /etc/pam.d/crond:session    required   pam_loginuid.so
>         /etc/pam.d/gdm:session    required    pam_loginuid.so
>         /etc/pam.d/gdm-autologin:session    required    pam_loginuid.so
>         /etc/pam.d/gdm-fingerprint:session     required
>         pam_loginuid.so
>         /etc/pam.d/gdm-password:session     required
>         pam_loginuid.so
>         /etc/pam.d/login:session    required     pam_loginuid.so
>         /etc/pam.d/remote:session    required     pam_loginuid.so
>         /etc/pam.d/sshd:session    required     pam_loginuid.so
>         /etc/pam.d/ssh-keycat:session    required     pam_loginuid.so
>         #
>
> If not, then read up on how to use required pam modules.
>
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150507/2b2eafc1/attachment.htm>

More information about the Linux-audit mailing list