If I have a process that starts up automatically without going through
the pam stack, and users can interact with it. Is there any good way to
assign a uid that the audit system can use? Is it possible to have it
change /proc/self/loginuid?
The problem isn't so much what they do with the process as it is
the fact that it allows them to call up a terminal, that terminal always
starts as a particular user, but it's loginuid isn't set.
-----Original Message-----
From: Steve Grubb [mailto:[email protected]]
Sent: Wednesday, May 11, 2011 10:38 AM
To: [email protected]
Cc: Harris, Todd
Subject: Re: user showing up as unset
On Monday, May 09, 2011 03:47:39 PM Harris, Todd wrote:
> So I was wondering if anyone had seen this. I have a set of nodes
that
> when we setup auditd on them the events we get back list the auid as
> unset for basically everything except for login which shows up
> correctly. Does anyone know where I may need to look at the config,
> something in PAM or else where?
All entry point daemons should have a call to pam_loginuid in their pam
stack. This
would be login, sshd, gdm, kdm, xdm, vsftpd, cron, etc. You might also
want audit=1
added to the kernel boot line.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
