auditd and SSHD exported variables

Tue May 26 11:46:03 UTC 2015

Steve,

I am assuming that Guillaume has a situation where he wants to provide a
unique sshd key as a login token as opposed to a user account name token
we find in /etc/passwd (or it's equivalent). In practice, it should just
require a single level of indirection. That is map the sshd key to the
account name and then to the account's uid in some corporate repository.

Regards

On Mon, 2015-05-25 at 18:09 -0400, Steve Grubb wrote:
> On Monday, May 25, 2015 09:37:33 AM Guillaume L. wrote:
> > Hello,
> > 
> > Thank you for your response.
> > 
> > I hoped that there are another ways to do this :)
> > 
> > I will explore pam to try to create a module !
> 
> The audit system in its entirety is designed with the assumption that each 
> user has their own account. Its for this reason that all security guidance 
> asks that root logins be disallowed. (Root is typically a shared account and 
> you cannot tell who did what if root logins were allowed.)
> 
> I'm not sure of the use case. Perhaps it really doesn't matter to have an 
> audit trail. But without any knowledge of the problem that one common account 
> solves, I say that you might consider giving people different accounts and use 
> supplemental groups if they share documents.
> 
> -Steve 
> 
> 
> > On Sat, May 23, 2015 at 1:07 AM, Burn Alting <burn at swtf.dyndns.org> wrote:
> > > Guillaume,
> > > 
> > > The only way I can think of, is  to write a pam module, similar to
> > > Steve's pam_loginuid.
> > > 
> > > The module would need to gain the user's ssh key and use that to look up
> > > some database that maps the key to a uid. The uid can then be applied to
> > > the loginuid in the proc structure.
> > > 
> > > Regards
> > > 
> > > On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote:
> > > > Hello,
> > > > 
> > > > 
> > > > Is there a way to log with auditd exported variables through ssd ?
> > > > 
> > > > 
> > > > My servers are used by many users but with the same account. So, I
> > > > export the SSH_USER variable from our "bastion" (where each user has a
> > > > specific account). With this configuration I can retrieve the remote
> > > > login.
> > > > 
> > > > 
> > > > I use this script in /etc/profile.d/:
> > > > 
> > > > 
> > > > 
> > > > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo
> > > > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " "
> > > > -f2` for $USER
> > > > 
> > > > 
> > > > ($SSH_USER is the variable exported via SSHD)
> > > > 
> > > > 
> > > > The ultimate goal is to match the following log with the "remote
> > > > user" (because all users use the uid 1000 to connect to the server):
> > > > 
> > > > 
> > > > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59
> > > > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2
> > > > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls"
> > > > key="auditcmd"
> > > > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls"
> > > > 
> > > > 
> > > > type=CWD msg=audit(1431694892.457:37824):  cwd="/root"
> > > > 
> > > > 
> > > > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls"
> > > > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null)
> > > > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls"
> > > > 
> > > > 
> > > > Thank you in advance.
> > > > 
> > > > 
> > > > Regards,
> > > > 
> > > > 
> > > > 
> > > > --
> > > > Guillaume
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> 