auditd and SSHD exported variables

Guillaume L. snnijd at gmail.com
Mon May 25 07:37:33 UTC 2015 

Hello,

Thank you for your response.

I hoped that there are another ways to do this :)

I will explore pam to try to create a module !

--
Guillaume



On Sat, May 23, 2015 at 1:07 AM, Burn Alting <burn at swtf.dyndns.org> wrote:

> Guillaume,
>
> The only way I can think of, is  to write a pam module, similar to
> Steve's pam_loginuid.
>
> The module would need to gain the user's ssh key and use that to look up
> some database that maps the key to a uid. The uid can then be applied to
> the loginuid in the proc structure.
>
> Regards
>
> On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> > Hello,
> >
> >
> > Is there a way to log with auditd exported variables through ssd ?
> >
> >
> > My servers are used by many users but with the same account. So, I
> > export the SSH_USER variable from our "bastion" (where each user has a
> > specific account). With this configuration I can retrieve the remote
> > login.
> >
> >
> > I use this script in /etc/profile.d/:
> >
> >
> >
> > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> > -f2` for $USER
> >
> >
> > ($SSH_USER is the variable exported via SSHD)
> >
> >
> > The ultimate goal is to match the following log with the "remote
> > user" (because all users use the uid 1000 to connect to the server):
> >
> >
> > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> > key="auditcmd"
> > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
> >
> >
> > type=CWD msg=audit(1431694892.457:37824):  cwd="/root"
> >
> >
> > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
> >
> >
> > Thank you in advance.
> >
> >
> > Regards,
> >
> >
> >
> > --
> > Guillaume
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150525/31671d5a/attachment.htm>

More information about the Linux-audit mailing list