Questions pam_radius and accounting logs
I am trying to utilize the pam_radius client (1.4.0) on several RHEL 6 servers for authentication and accounting with ssh and sudo, against a Cisco ACS (ver 5.5) The authentication works as expected for both, however i am not seeing what i would expect in the accounting. My first question is, is there a setting that i am missing that enables pam_radius to send the full accounting back to the ACS? I do see the start/stop packets, however i only ever see the "sudo" issued as a NAS identifier, and never anything else. ==== output from /var/log/messages Jul 24 10:04:00 secutil sshd[6148]: Accepted password for test_user from XXX.XXX.XXX.XXX port 53291 ssh2 Jul 24 10:04:00 secutil sshd[6148]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument Jul 24 10:04:24 secutil sudo: pam_radius_auth: Got user name test_user Jul 24 10:04:24 secutil sudo: pam_radius_auth: ignore last_pass, force_prompt set Jul 24 10:04:29 secutil sudo: pam_radius_auth: Sending RADIUS request code 1 Jul 24 10:04:29 secutil sudo: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7f3b816089a0. Jul 24 10:04:29 secutil sudo: pam_radius_auth: Got RADIUS response code 2 Jul 24 10:04:29 secutil sudo: pam_radius_auth: authentication succeeded Jul 24 10:04:29 secutil sudo: test_user : TTY=pts/1 ; PWD=/home/test_user ; USER=root ; COMMAND=/bin/cat /etc/named.conf ==== output from ACS Start Accounting Details : Diagnostics Details ACS Configuration Changes Logged At : Jul 24,17 10:04:29.336 AM ACS Time : Jul 24,17 10:04:29.313 AM ACS Server : scrubbed User Name : root Failure Reason : Identity Store : Identity Group : Network Device Name : Linux_Servers Network Device Group : Device Type:All Device Types, Location:All Locations Service Selection Rule Name : Access Service : Security Group : AD Domain : Authorization Profile: MAC Address : Endpoint IP Address : NAS IP Address : scrubbed NAS Port : 6171 NAS Port Id: NAS Identifier : sudo Account Status Type : Start Account Session Id : 00006171 Account MultiSession Id : Audit Session Id : ACS Session Id : scrubbed/230060300/66963046 Account Authentic : RADIUS Account Terminate Cause : Terminate Action : Account Interim Intervals : Account Delay Time : Account Session Time : Account Input Octets : Account Output Octets : Account Input Packets : Account Output Packets : Account Tunnel Connection : Account Tunnel Packet Lost : Session Timeout : Idle Timeout : Event Timestamp : Service Type : Response Time : 1 Class : Framed Protocol : Tunnel Details : Cisco H323 : Cisco SSG : Cisco-AvPairs : Other Attributes : ACSVersion=acs-5.5.0.46-B.723 ConfigVersionId=200 NAS-Port-Type=Virtual Device IP Address=scrubbed Audit Session Key root:sudo:6171 Steps Received RADIUS Accounting-Request RADIUS created a new session Evaluating Service Selection Policy Matched rule Selected Access Service - Accounting start was received for non-existing session. Returned RADIUS Accounting-Response ==== output from ACS Stop Accounting Details : Diagnostics Details ACS Configuration Changes Logged At : Jul 24,17 10:04:29.336 AM ACS Time : Jul 24,17 10:04:29.320 AM ACS Server : scrubbed User Name : root Failure Reason : Identity Store : Identity Group : Network Device Name : Linux_Servers Network Device Group : Device Type:All Device Types, Location:All Locations Service Selection Rule Name : Access Service : Security Group : AD Domain : Authorization Profile: MAC Address : Endpoint IP Address : NAS IP Address : scrubbed NAS Port : 6171 NAS Port Id: NAS Identifier : sudo Account Status Type : Stop Account Session Id : 00006171 Account MultiSession Id : Audit Session Id : ACS Session Id : scrubbed/230060300/66963047 Account Authentic : RADIUS Account Terminate Cause : Terminate Action : Account Interim Intervals : Account Delay Time : Account Session Time : 0 Account Input Octets : Account Output Octets : Account Input Packets : Account Output Packets : Account Tunnel Connection : Account Tunnel Packet Lost : Session Timeout : Idle Timeout : Event Timestamp : Service Type : Response Time : 1 Class : Framed Protocol : Tunnel Details : Cisco H323 : Cisco SSG : Cisco-AvPairs : Other Attributes : ACSVersion=acs-5.5.0.46-B.723 ConfigVersionId=200 NAS-Port-Type=Virtual Device IP Address=scrubbed Audit Session Key root:sudo:6171 Received RADIUS Accounting-Request RADIUS created a new session Evaluating Service Selection Policy Matched rule Selected Access Service - Audit session was not found. Returned RADIUS Accounting-Response ==== /etc/pam.d/sshd auth sufficient pam_radius_auth.so debug account sufficient pam_radius_auth.so debug session sufficient pam_radius_auth.so debug #auth include tacacs auth required pam_sepermit.so auth include password-auth #account include tacacs account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule #session include tacacs session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth ==== /etc/pam.d/sudo auth sufficient pam_radius_auth.so debug account sufficient pam_radius_auth.so debug session sufficient pam_radius_auth.so debug auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so /etc/raddb/server (scrubbed) XXX.XXX.XXX.XXX test 3 Am i just incorrect in my assumptions on what i think i should be seeing with the accounting? I know with other devices, I can see the full accounting commands issued, but i do not know if that is a limitation with Linux and pam_radius, or if i have something set incorrectly. Thanks in advance, GR
On Jul 24, 2017, at 11:34 AM, Junk XL via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to utilize the pam_radius client (1.4.0) on several RHEL 6 servers for authentication and accounting with ssh and sudo, against a Cisco ACS (ver 5.5)
That should work. It' just RADIUS.
The authentication works as expected for both, however i am not seeing what i would expect in the accounting.
My first question is, is there a setting that i am missing that enables pam_radius to send the full accounting back to the ACS?
No.
I do see the start/stop packets, however i only ever see the "sudo" issued as a NAS identifier, and never anything else.
Because PAM doesn't do that. PAM just does login, logout, and session times. PAM doesn't get called every time the user runs a command.
Am i just incorrect in my assumptions on what i think i should be seeing with the accounting?
I don't know what you think you should be seeing. You haven't said what you expect to see.
I know with other devices, I can see the full accounting commands issued, but i do not know if that is a limitation with Linux and pam_radius, or if i have something set incorrectly.
What are "full accounting commands"? If you expect to see every command run by the user, it won't work. PAM doesn't do that. No amount of poking pam_radius will make it work. Alan DeKok.
What i expected to see was the sudo commands issued, rather than just a start/stop packet and 'sudo' in the NAS identifier. However i understand PAM's limitations, and half expected that to be the issue, but wasn't sure if enabling something like pam_tty_audit was required. Thank you for the clarification. Kind Regards, GR ________________________________ From: Alan DeKok <aland@deployingradius.com> To: Junk XL <junkxl@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Monday, July 24, 2017 11:15 AM Subject: Re: Questions pam_radius and accounting logs On Jul 24, 2017, at 11:34 AM, Junk XL via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am trying to utilize the pam_radius client (1.4.0) on several RHEL 6 servers for authentication and accounting with ssh and sudo, against a Cisco ACS (ver 5.5)
That should work. It' just RADIUS.
The authentication works as expected for both, however i am not seeing what i would expect in the accounting.
My first question is, is there a setting that i am missing that enables pam_radius to send the full accounting back to the ACS?
No.
I do see the start/stop packets, however i only ever see the "sudo" issued as a NAS identifier, and never anything else.
Because PAM doesn't do that. PAM just does login, logout, and session times. PAM doesn't get called every time the user runs a command.
Am i just incorrect in my assumptions on what i think i should be seeing with the accounting?
I don't know what you think you should be seeing. You haven't said what you expect to see.
I know with other devices, I can see the full accounting commands issued, but i do not know if that is a limitation with Linux and pam_radius, or if i have something set incorrectly.
What are "full accounting commands"? If you expect to see every command run by the user, it won't work. PAM doesn't do that. No amount of poking pam_radius will make it work. Alan DeKok.
participants (2)
-
Alan DeKok -
Junk XL