OpenBSM questions
Robert Watson
rwatson at FreeBSD.org
Sat Jul 14 18:33:36 UTC 2007
On Sat, 14 Jul 2007, Garrett Wollman wrote:
> <<On Sat, 14 Jul 2007 16:45:14 +0100 (BST), Robert Watson
> <rwatson at freebsd.org> said:
>
>> This is correct -- login services must be modified to properly set up user
>> audit state at login. I am not familiar with work relating to this with
>> xdm, kdm, gdm, etc, but it would be very good to see this happen.
>
> Surely this is something that belongs in a PAM module...? The whole point
> of the PAM framework is that you should *not* have to modify every program
> that does a login when new mechanisms are introduced or policy changes.
Setting login state is not the only thing that audit does. Audit requirements
also exist to audit failures in the login process that may be entirely
unrelated to authentication.
That said, I'm not 100% sure that the audit state, leaving aside the auditing
of login events, couldn't be done in a PAM module. An interesting question is
why the rest of the UNIX credential is also not set up using PAM -- see calls
to setlogin(2), setusercontext(3), etc, in login.c and other things involved
in login.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-security
mailing list