[syslog-ng] login.pdb reworked
Peter Czanik
czanik at balabit.hu
Tue Nov 2 17:07:25 CET 2010
On 10/30/2010 12:05 AM, Matthew Hall wrote:
> On Fri, Oct 29, 2010 at 09:46:29PM +0200, Peter Czanik wrote:
>
>> On 10/29/2010 04:32 PM, Martin Holste wrote:
>>
>>> Won't the user login pattern only catch root logins because of uid=0?
>>>
>>> <pattern>pam_unix(login:session): session opened for user
>>> @ESTRING:usracct.username: @by @ESTRING::(@uid=0)</pattern>
>>>
>>> Couldn't it be changed to
>>>
>>> <pattern>pam_unix(login:session): session opened for user
>>> @ESTRING:usracct.username: @by
>>> @ESTRING::(@uid=@ESTRING:usracct.uid:)@</pattern>
>>>
>>>
>> No, check my log samples I used to create the patterns. User "czanik"
>> has uid=1000, still all the logs end with (uid=0):
>>
>> Oct 7 09:28:17 ubuntu login[4454]: pam_unix(login:session): session
>> opened for user czanik by (uid=0)
>>
> The reason for this is because the (uid=0) is indicating the uid of the
> user who opened the session. Meaning that the login was created by
> something running as the root user uid 0. So in reality the pattern
> should capture this other variable somewhere, for people who have
> daemons which are non-root.
>
OK. For now I leave it as is, and I'm very interested to see, if it
causes any problem anywhere. If yes, I'm happy to add support for it any
time.
Bye,
--
Peter Czanik (CzP) <czanik at balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
More information about the syslog-ng
mailing list