Thanks to
Crist Clark
Stuart Saxon
John Leadeham
Michael Sullivan
Who all gave clues to the final solution! The closest was the suggestion of
using
getauid() [now superseded by getaudit()]
but, this only gets the current c program audit process id. There may be a way
of modifying it to find other process id's but in the process of researching
that - I stumbled upon
auditconfig -getpinfo $PID
# auditconfig -getpinfo 25961
audit id = jo (1000)
process preselection mask = ex,lo(0x40001000,0x40001000)
terminal id (maj,min,host) = 0,0,abcd.efgh.com(123.123.123.123)
audit session id = 26935
Where the audit id is the user who originally logged into the server! This is
exactly what I require!!!! And, as an unexpected bonus, it also gives the name
and IP address where the Xterm session was started (abcd.efgh.com is my local
workstation, not the server!)
Note: have to be really careful when testing this, using the "login" command
does not reset the audit user id, and when using VNC, the commands inherit the
user who started VNC! Safest way to test the command is to login to the
machine as the target user and execute the command to be tested.
Thanks all
Paul
-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Roetman, Paul
Sent: Tuesday, 21 June 2005 9:04 AM
To: sunmanagers@sunmanagers.org
Subject: real owner of a process - more info "audit user id"
I had a few responses, most letting me know to research the "real user id" and
"effective user id". After a bit more research, what I really need is the
"audit user id" (See quote from SunSHIELD book below).
Here is a better example
login: jo
> su -
> prstat -u jo
The prstat command will not list prstat, as its EUID is root
login: jo
> su -
> prstat -U jo
Again, the prstat command will not list prstat, as its UID is also root
Same again with the ps command. Need to start two sessions:
login: jo
> su -
> prstat
second session:
login: jo
> su -
> ps -u jo <== (effective user id) does not report the above
prstat
> ps -U jo <== (real user id) also does not report the above
prstat
BUT, at the end of the day - when running the BSM report, all the above prstat
commands would be reported as "jo" in the audit report.
My target is to create a shell script or c program that reports the audit user
id of the process - jo; exactly how BSM reports it....
Here is a quote from the "SunSHIELD Basic Security Module Guide" (Part Number
806-1789�10).
Auditing Features
The following features of Solaris BSM auditing are provided to interpret the
audit
records:
The audit ID assigned to a user�s processes stays the same even when the
user ID changes.
Each session has an audit session ID.
Full path names are saved in audit records.
Because each audit record contains an audit ID that identifies the user who
generated the event, and because full path names are recorded in audit
records, you can look at individual audit records and get meaningful
information without looking back through the audit trail.
Audit User ID
Solaris BSM processes have an additional user identification attribute not
associated with processes in the standard Solaris release: the audit ID. A
process acquires its audit ID at login time, and this audit ID is inherited by
all child processes.
(After reading this last paragraph, I am loosing hope on how to get this
info!
It looks like it may not be available in standard Solaris)
Thanks again
Paul
-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Roetman, Paul
Sent: Monday, 20 June 2005 5:15 PM
To: sunmanagers@sunmanagers.org
Subject: real owner of a process
Is there any quick/simple/easy way to find out who really started an existing
process - similar to what BSM reports?
For example
login: jo
password: ****
$ su - fred
password: *****
$ who am I
jo pts/1 datetime ipaddress <== reports the original login
$whoami
fred <== reports the current login
$id
uid=2001(fred) gid=100(staff) <== reports the current login
$ start_background_proc &
When using BSM, it would report the process start_background_proc as started
by jo.
But when using prstat, top, or ps, lsof -p pid, it reports the process as
fred. I would like a command that reports "jo"
This is Solaris 2.8; and using ksh (but any shell will do!).
The purpose of the exercise to check that certain processes have been started
by the correct login user, so when BSM reports are generated, the correct user
will be running each process! In the above example, a cron script would checks
the process "start_background_proc" user is fred - if not, then send me an
email.
Note: could also do the test in c..
Thanks in advance
Paul
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.9/23 - Release Date: 20/06/2005
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Jun 22 01:20:26 2005