Hello, Attached is a new version of login.pdb (called login2.pdb). It has patterns for many console/terminal/telnet login/logout events. This version should generate one set of name value pairs for each event, and only one. If you use console/login/telnet for logins, plese give it a try and let me know, how it works for you. I found, that there are some slight variations among messages even between different Ubuntu versions, so I'd like to see, how these patterns work on a larger set of Linux distributions, UNIX revisions. Thank you for your help, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
Won't the user login pattern only catch root logins because of uid=0? <pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern> Couldn't it be changed to <pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern> On Fri, Oct 29, 2010 at 7:45 AM, Peter Czanik <czanik@balabit.hu> wrote:
Hello,
Attached is a new version of login.pdb (called login2.pdb). It has patterns for many console/terminal/telnet login/logout events. This version should generate one set of name value pairs for each event, and only one.
If you use console/login/telnet for logins, plese give it a try and let me know, how it works for you. I found, that there are some slight variations among messages even between different Ubuntu versions, so I'd like to see, how these patterns work on a larger set of Linux distributions, UNIX revisions.
Thank you for your help, --
Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hello, On 10/29/2010 04:32 PM, Martin Holste wrote:
Won't the user login pattern only catch root logins because of uid=0?
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
Couldn't it be changed to
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
No, check my log samples I used to create the patterns. User "czanik" has uid=1000, still all the logs end with (uid=0): Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session opened for user czanik by (uid=0) So it does not seem to have anything to do with the user's uid. Have a nice weekend! Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
On 10/29/2010 04:32 PM, Martin Holste wrote:
Won't the user login pattern only catch root logins because of uid=0?
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
Couldn't it be changed to
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
No, check my log samples I used to create the patterns. User "czanik" has uid=1000, still all the logs end with (uid=0):
Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session opened for user czanik by (uid=0)
The reason for this is because the (uid=0) is indicating the uid of the user who opened the session. Meaning that the login was created by something running as the root user uid 0. So in reality the pattern should capture this other variable somewhere, for people who have daemons which are non-root.
Peter Czanik (CzP) <czanik@balabit.hu>
Matthew Hall.
On 10/30/2010 12:05 AM, Matthew Hall wrote:
On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
On 10/29/2010 04:32 PM, Martin Holste wrote:
Won't the user login pattern only catch root logins because of uid=0?
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
Couldn't it be changed to
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
No, check my log samples I used to create the patterns. User "czanik" has uid=1000, still all the logs end with (uid=0):
Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session opened for user czanik by (uid=0)
The reason for this is because the (uid=0) is indicating the uid of the user who opened the session. Meaning that the login was created by something running as the root user uid 0. So in reality the pattern should capture this other variable somewhere, for people who have daemons which are non-root.
OK. For now I leave it as is, and I'm very interested to see, if it causes any problem anywhere. If yes, I'm happy to add support for it any time. Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
On Tue, 2010-11-02 at 17:07 +0100, Peter Czanik wrote:
On 10/30/2010 12:05 AM, Matthew Hall wrote:
On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
On 10/29/2010 04:32 PM, Martin Holste wrote:
Won't the user login pattern only catch root logins because of uid=0?
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
Couldn't it be changed to
<pattern>pam_unix(login:session): session opened for user @ESTRING:usracct.username: @by @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
No, check my log samples I used to create the patterns. User "czanik" has uid=1000, still all the logs end with (uid=0):
Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session opened for user czanik by (uid=0)
The reason for this is because the (uid=0) is indicating the uid of the user who opened the session. Meaning that the login was created by something running as the root user uid 0. So in reality the pattern should capture this other variable somewhere, for people who have daemons which are non-root.
OK. For now I leave it as is, and I'm very interested to see, if it causes any problem anywhere. If yes, I'm happy to add support for it any time.
login alwazs runs as the root user. I'd be surprised if there was an exception to that. Don't forget that this is only about the "login" program, executed by getty-s and telnet, not when another daemon runs authenticates the user (which certainly may run as non-root). -- Bazsi
On Fri, Nov 05, 2010 at 04:01:31PM +0100, Balazs Scheidler wrote:
login alwazs runs as the root user. I'd be surprised if there was an exception to that.
Don't forget that this is only about the "login" program, executed by getty-s and telnet, not when another daemon runs authenticates the user (which certainly may run as non-root).
Perhaps true. But now that POSIX capabilities is catching on it might not be true forever. And an extra patterndb variable never makes anybody worse off. ;-)
Bazsi
participants (4)
-
Balazs Scheidler
-
Martin Holste
-
Matthew Hall
-
Peter Czanik