auditd and SSHD exported variables
Steve Grubb
sgrubb at redhat.com
Mon May 25 22:09:38 UTC 2015
On Monday, May 25, 2015 09:37:33 AM Guillaume L. wrote:
> Hello,
>
> Thank you for your response.
>
> I hoped that there are another ways to do this :)
>
> I will explore pam to try to create a module !
The audit system in its entirety is designed with the assumption that each
user has their own account. Its for this reason that all security guidance
asks that root logins be disallowed. (Root is typically a shared account and
you cannot tell who did what if root logins were allowed.)
I'm not sure of the use case. Perhaps it really doesn't matter to have an
audit trail. But without any knowledge of the problem that one common account
solves, I say that you might consider giving people different accounts and use
supplemental groups if they share documents.
-Steve
> On Sat, May 23, 2015 at 1:07 AM, Burn Alting <burn at swtf.dyndns.org> wrote:
> > Guillaume,
> >
> > The only way I can think of, is to write a pam module, similar to
> > Steve's pam_loginuid.
> >
> > The module would need to gain the user's ssh key and use that to look up
> > some database that maps the key to a uid. The uid can then be applied to
> > the loginuid in the proc structure.
> >
> > Regards
> >
> > On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> > > Hello,
> > >
> > >
> > > Is there a way to log with auditd exported variables through ssd ?
> > >
> > >
> > > My servers are used by many users but with the same account. So, I
> > > export the SSH_USER variable from our "bastion" (where each user has a
> > > specific account). With this configuration I can retrieve the remote
> > > login.
> > >
> > >
> > > I use this script in /etc/profile.d/:
> > >
> > >
> > >
> > > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> > > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> > > -f2` for $USER
> > >
> > >
> > > ($SSH_USER is the variable exported via SSHD)
> > >
> > >
> > > The ultimate goal is to match the following log with the "remote
> > > user" (because all users use the uid 1000 to connect to the server):
> > >
> > >
> > > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> > > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> > > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> > > key="auditcmd"
> > > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
> > >
> > >
> > > type=CWD msg=audit(1431694892.457:37824): cwd="/root"
> > >
> > >
> > > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> > > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> > > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
> > >
> > >
> > > Thank you in advance.
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > --
> > > Guillaume
> > > --
> > > Linux-audit mailing list
> > > Linux-audit at redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list