CAPIM: The result of keyboard logger log on RHEL8
Article ID: 227739
Updated On:
Products
CA Privileged Identity Management Endpoint (PIM)
Issue/Introduction
The user becomes root in kbl log on GUI (gnome) login.
This happens on RHEL 8 but not on RHEL 7.
This happens on RHEL 8 but not on RHEL 7.
To record kbl log for GUI login, define following loginappl rule:
AC> editres LOGINAPPL ('GNOME_KBL') audit(ALL) defaccess(EXECUTE) owner('nobody') loginflags(KBLTRIGGE) loginmethod(NORMAL) loginseq(N3GRP N3GID N3UID N3EID FGRP FGID FUID FEID SGRP SGID SUID SEID) loginpath(/usr/libexec/gnome-terminal-server)
However, after logging into the sever via GUI by normal user, sewhoami command shows the user as root and kbl log also shows the user as root (login/logout log shows correct user).
And login terminal is not shown in logs.
# sewhoami -a
root
...
# seaudit -kbl
18 Oct 2021 21:34:34 P LOGIN user01 11903 12 cmdlog
18 Oct 2021 21:34:45 O LOGOUT user01 11903 13 cmdlog
# seaudit -kbl -sid 11903 -cmd
18 Oct 2021 21:34:41 P TRACE root 616e1c13:00000100 user01 root KBL input 11903 INFO : SessionCmd: sewhoami -a
root
...
# seaudit -kbl
18 Oct 2021 21:34:34 P LOGIN user01 11903 12 cmdlog
18 Oct 2021 21:34:45 O LOGOUT user01 11903 13 cmdlog
# seaudit -kbl -sid 11903 -cmd
18 Oct 2021 21:34:41 P TRACE root 616e1c13:00000100 user01 root KBL input 11903 INFO : SessionCmd: sewhoami -a
Environment
Release : 12.8
Component : CA ControlMinder - Unix
Resolution
adding following loginappl rule resolved the problem:
AC> er LOGINAPPL SYSTEMD loginpath(/usr/lib/systemd/systemd) loginflags(PAM) audit(all) defaccess(X)
Feedback
Yes
No
Powered by
