Re: BSM Audit and LDAP accounts

Wed, 30 Jun 2010 08:40:00 -0700 

        Hi Piotr,

On Wed, Jun 30, 2010 at 12:01:23PM +0200, Piotr Jasiukajtis wrote:
> In addition to that:
> 
> # /usr/sbin/auditconfig -getaudit
> audit id = unknown(-2)
> process preselection mask = no(0x0,0x0)
> terminal id (maj,min,host) = 15289,202240,unknown(10.1.1.10)
> audit session id = 0

        This is weird. Are you sure, that auditing is correctly
        configured on that system? The "audit id = unknown(-2)" (along
        with the knowledge that the user has logged in via ssh) would
        mean, that the appropriate credentials related structure members
        were not correctly filled in the kernel.

        Please, file a bug against that and, as much as possible, be
        precise in specifying the details (defect.opensolaris.org).

        I've double checked on one of the recent builds configured with
        LDAP authentication, that the Auditing Subsystem is behaving
        correctly. However it might be the case that I'm not using the
        same scenario for my testing.


$ pfexec /usr/sbin/praudit /var/audit/20100630151156.not_terminated.test
file,2010-06-30 17:11:56.295 +02:00,
header,69,2,login - ssh,,test.machine.com,2010-06-30 17:12:10.467 +02:00
subject,myself,myself,other,myself,other,761,2700863468,7533 136704 other_box
return,success,0
        .
        .

header,69,2,su,,tipo.czech.sun.com,2010-06-30 17:17:06.091 +02:00
subject,myself,myself,other,myself,other,772,2700863468,7533 136704 other_box
return,success,0


$ pfexec /usr/sbin/auditconfig -getaudit
audit id = myself(2000)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 7533,136704,test(my.i.p.address)
audit session id = 2700863468

$ grep passwd: /etc/nsswitch.conf 
passwd:     files ldap nis
$
$ grep myself /etc/passwd 
$
$ ypmatch -k myself passwd
Can't match key myself in map passwd.byname.  Reason: no such key in map.
$
$ getent passwd myself
myself:x:2000:1:LDAP user:/export/home/myself:/bin/bash
$ 

        Thanks,

        /j.

> >>
> >> praudit says only:
> >> header,32,2,su,,server,2010-06-29 15:56:24.284 +02:00,return,success,0
> >>
> >> In case of local users it says:
> >> ,subject,estibi,root,root,root,root,8416,1677303986,6456 71168
> >> 10.1.1.10,return,success,0


_______________________________________________
security-discuss mailing list
[email protected]

Reply via email to