Steve, I am assuming that Guillaume has a situation where he wants to provide a unique sshd key as a login token as opposed to a user account name token we find in /etc/passwd (or it's equivalent). In practice, it should just require a single level of indirection. That is map the sshd key to the account name and then to the account's uid in some corporate repository.
Regards On Mon, 2015-05-25 at 18:09 -0400, Steve Grubb wrote: > On Monday, May 25, 2015 09:37:33 AM Guillaume L. wrote: > > Hello, > > > > Thank you for your response. > > > > I hoped that there are another ways to do this :) > > > > I will explore pam to try to create a module ! > > The audit system in its entirety is designed with the assumption that each > user has their own account. Its for this reason that all security guidance > asks that root logins be disallowed. (Root is typically a shared account and > you cannot tell who did what if root logins were allowed.) > > I'm not sure of the use case. Perhaps it really doesn't matter to have an > audit trail. But without any knowledge of the problem that one common account > solves, I say that you might consider giving people different accounts and > use > supplemental groups if they share documents. > > -Steve > > > > On Sat, May 23, 2015 at 1:07 AM, Burn Alting <[email protected]> wrote: > > > Guillaume, > > > > > > The only way I can think of, is to write a pam module, similar to > > > Steve's pam_loginuid. > > > > > > The module would need to gain the user's ssh key and use that to look up > > > some database that maps the key to a uid. The uid can then be applied to > > > the loginuid in the proc structure. > > > > > > Regards > > > > > > On Fri, 2015-05-15 at 15:09 +0200, Guillaume L. wrote: > > > > Hello, > > > > > > > > > > > > Is there a way to log with auditd exported variables through ssd ? > > > > > > > > > > > > My servers are used by many users but with the same account. So, I > > > > export the SSH_USER variable from our "bastion" (where each user has a > > > > specific account). With this configuration I can retrieve the remote > > > > login. > > > > > > > > > > > > I use this script in /etc/profile.d/: > > > > > > > > > > > > > > > > logger -p local0.notice "`date` ": Connection from $SSH_USER@`echo > > > > $SSH_CONNECTION | cut -d " " -f1`":"`echo $SSH_CONNECTION | cut -d " " > > > > -f2` for $USER > > > > > > > > > > > > ($SSH_USER is the variable exported via SSHD) > > > > > > > > > > > > The ultimate goal is to match the following log with the "remote > > > > user" (because all users use the uid 1000 to connect to the server): > > > > > > > > > > > > type=SYSCALL msg=audit(1431694892.457:37824): arch=c000003e syscall=59 > > > > success=yes exit=0 a0=14cea68 a1=1423a48 a2=1553008 a3=0 items=2 > > > > ppid=30894 pid=30947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > > egid=0 sgid=0 fsgid=0 tty=pts3 ses=17 comm="ls" exe="/bin/ls" > > > > key="auditcmd" > > > > type=EXECVE msg=audit(1431694892.457:37824): argc=1 a0="ls" > > > > > > > > > > > > type=CWD msg=audit(1431694892.457:37824): cwd="/root" > > > > > > > > > > > > type=PATH msg=audit(1431694892.457:37824): item=0 name="/bin/ls" > > > > inode=157 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > type=PATH msg=audit(1431694892.457:37824): item=1 name=(null) > > > > inode=4212 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > type=PROCTITLE msg=audit(1431694892.457:37824): proctitle="ls" > > > > > > > > > > > > Thank you in advance. > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > -- > > > > Guillaume > > > > -- > > > > Linux-audit mailing list > > > > [email protected] > > > > https://www.redhat.com/mailman/listinfo/linux-audit > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
