On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
On 10/29/2010 04:32 PM, Martin Holste wrote:
Won't the user login pattern only catch root logins because of uid=0?
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
Couldn't it be changed to
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
No, check my log samples I used to create the patterns. User "czanik" has uid=1000, still all the logs end with (uid=0):
Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session opened for user czanik by (uid=0)
The reason for this is because the (uid=0) is indicating the uid of the user who opened the session. Meaning that the login was created by something running as the root user uid 0. So in reality the pattern should capture this other variable somewhere, for people who have daemons which are non-root.
Peter Czanik (CzP) <czanik@balabit.hu>
Matthew Hall.