SUMMARY: real owner of a process - more info "audit user id"

Roetman, Paul Paul.Roetman at dpiterminals.com
Wed Jun 22 01:19:35 EDT 2005


Thanks to
	Crist Clark
	Stuart Saxon
	John Leadeham
	Michael Sullivan

Who all gave clues to the final solution! The closest was the suggestion of
using
	getauid()               [now superseded by getaudit()]

but, this only gets the current c program audit process id. There may be a way
of modifying it to find other process id's but in the process of researching
that - I stumbled upon

	auditconfig -getpinfo $PID

# auditconfig -getpinfo 25961
audit id = jo (1000)
process preselection mask = ex,lo(0x40001000,0x40001000)
terminal id (maj,min,host) = 0,0,abcd.efgh.com(123.123.123.123)
audit session id = 26935

Where the audit id is the user who originally logged into the server! This is
exactly what I require!!!! And, as an unexpected bonus, it also gives the name
and IP address where the Xterm session was started (abcd.efgh.com is my local
workstation, not the server!)

Note: have to be really careful when testing this, using the "login" command
does not reset the audit user id, and when using VNC, the commands inherit the
user who started VNC! Safest way to test the command is to login to the
machine as the target user and execute the command to be tested.

Thanks all

Paul


-----Original Message-----
From: sunmanagers-bounces at sunmanagers.org
[mailto:sunmanagers-bounces at sunmanagers.org] On Behalf Of Roetman, Paul
Sent: Tuesday, 21 June 2005 9:04 AM
To: sunmanagers at sunmanagers.org
Subject: real owner of a process - more info "audit user id"

I had a few responses, most letting me know to research the "real user id" and
"effective user id". After a bit more research, what I really need is the
"audit user id" (See quote from SunSHIELD book below).


Here is a better example


login: jo
> su -
> prstat -u jo

The prstat command will not list prstat, as its EUID is root

login: jo
> su -
> prstat -U jo

Again, the prstat command will not list prstat, as its UID is also root

Same again with the ps command. Need to start two sessions:

login: jo
> su -
> prstat

second session:

login: jo
> su -
> ps -u jo            <== (effective user id) does not report the above
prstat
> ps -U jo            <== (real user id) also does not report the above
prstat


BUT, at the end of the day - when running the BSM report, all the above prstat
commands would be reported as "jo" in the audit report.

My target is to create a shell script or c program that reports the audit user
id of the process - jo; exactly how BSM reports it....

Here is a quote from the "SunSHIELD Basic Security Module Guide" (Part Number
806-178910).

Auditing Features
The following features of Solaris BSM auditing are provided to interpret the
audit
records:
   The audit ID assigned to a users processes stays the same even when the
user ID changes.
   Each session has an audit session ID.
   Full path names are saved in audit records.

Because each audit record contains an audit ID that identifies the user who
generated the event, and because full path names are recorded in audit
records, you can look at individual audit records and get meaningful
information without looking back through the audit trail.

Audit User ID

Solaris BSM processes have an additional user identification attribute not
associated with processes in the standard Solaris release: the audit ID. A
process acquires its audit ID at login time, and this audit ID is inherited by
all child processes.

(After reading this last paragraph, I am loosing hope on how to get this
info!
It looks like it may not be available in standard Solaris)

Thanks again

Paul

-----Original Message-----
From: sunmanagers-bounces at sunmanagers.org
[mailto:sunmanagers-bounces at sunmanagers.org] On Behalf Of Roetman, Paul
Sent: Monday, 20 June 2005 5:15 PM
To: sunmanagers at sunmanagers.org
Subject: real owner of a process

Is there any quick/simple/easy way to find out who really started an existing
process - similar to what BSM reports?

For example

	login: jo
	password: ****
	$ su - fred
	password: *****
	$ who am I
	jo pts/1   datetime ipaddress    <== reports the original login
	$whoami
	fred                                       <== reports the current login
	$id
	uid=2001(fred) gid=100(staff)    <== reports the current login
	$ start_background_proc &

When using BSM, it would report the process start_background_proc as started
by jo.

But when using prstat, top, or ps, lsof -p pid, it reports the process as
fred. I would like a command that reports "jo"

This is Solaris 2.8; and using ksh (but any shell will do!).

The purpose of the exercise to check that certain processes have been started
by the correct login user, so when BSM reports are generated, the correct user
will be running each process! In the above example, a cron script would checks
the process "start_background_proc" user is fred - if not, then send me an
email.

Note: could also do the test in c..

Thanks in advance

Paul





--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.9/23 - Release Date: 20/06/2005



More information about the sunmanagers mailing list