Read Verbose Event Log Entries
/* This is a test */ if (user == "sandy") reject;
The output when pblog -l is run is as follows:
Reject 2010/06/23 11:33:34 sandy@octopus.company.com by root@octopus.company.com ls Request rejected by pbmasterd on octopus.company.com. argc = 1 argv = {"ls"} bkgd = 0 clienthost = "octopus.company.com" command = "ls" cwd = "/var/log" date = "2010/06/23" day = 23 dayname = "Wed" env = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"} event = "Reject" eventlog = "/var/log/pb.eventlog" exitstatus = "Request rejected by pbmasterd on octopus.company.com.[a]" false = 0 group = "uts" groups = {"uts"} host = "octopus.company.com" hour = 11 i18n_date = "06/23/10" i18n_day = "23" i18n_dayname = "Wed" i18n_hour = "11" i18n_minute = "33" i18n_month = "06" i18n_time = "11:33:34" i18n_year = "2010" iolog = "" lineinfile = "/opt/pbul/policies/pb.conf" linenum = "1" localmode = 0 lognopassword = 1 logport = "32224" logservers = {"sandy"} logstderr = 1 logstdin = 1 logstdout = 1 masterhost = "octopus.company.com" masterlocale = "C" minute = 33 month = 6 nice = 0 optarg = "" opterr = 1 optimizedrunmode = 1 optind = 1 optopt = "" optreset = 1 optstrictparameters = 1 pbclientmode = "run" pbclientname = "pbrun" pblogdmachine = "i686" pblogdnodename = "sandy" pblogdrelease = "2.6.22.5-31-default" pblogdsysname = "Linux" pblogdversion = "#1 SMP 2007/09/21 22:29:00 UTC" pbmasterdmachine = "i686" pbmasterdnodename = "sandy" pbmasterdrelease = "2.6.22.5-31-default" pbmasterdsysname = "Linux" pbmasterdversion = "#1 SMP 2007/09/21 22:29:00 UTC" pbrunmachine = "i686" pbrunnodename = "sandy" pbrunrelease = "2.6.22.5-31-default" pbrunsysname = "Linux" pbrunversion = "#1 SMP 2007/09/21 22:29:00 UTC" pbversion = "6.1.0-15" pid = 18511 psmcmapid = "7f0000024c22537e484D" ptyflags = 7 rejectnullpasswords = 0 requestuser = "sandy" rlimit_as = -977616896 rlimit_core = 0 rlimit_cpu = -1 rlimit_data = -1 rlimit_fsize = -1 rlimit_locks = -1 rlimit_memlock = 32768 rlimit_nofile = 1024 rlimit_nproc = 15349 rlimit_rss = 1692928000 rlimit_stack = 8388608 runargv = {"ls"} runbkgd = 0 runcommand = "ls" runcwd = "/var/log" runenablerlimits = 0 runenv = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"} rungroup = "sandy" rungroups = {"sandy", "amanda"} runhost = "octopus.company.com" runlocalmode = 0 runnice = 0 runoptimizedrunmode = 1 runptyflags = 7 runrlimit_as = -977616896 runrlimit_core = 0 runrlimit_cpu = -1 runrlimit_data = -1 runrlimit_fsize = -1 runrlimit_locks = -1 runrlimit_memlock = 32768 runrlimit_nofile = 1024 runrlimit_nproc = 15349 runrlimit_rss = 1692928000 runrlimit_stack = 8388608 runsolarisproject = "" runtimeout = 0 runtimeoutoverride = 0 runumask = 18 runuser = "sandy" solarisproject = "" status = 0 submithost = "octopus.company.com" submithostip = "127.0.0.2" submitlocale = "en_US.UTF-8" submitpid = 18509 subprocuser = "sandy" time = "11:33:34" timezone = "PDT" true = 1 ttyname = "/dev/pts/20" umask = 18 uniqueid = "7f0000024c22537e484F" user = "sandy" year = 2010
This log can be read as the request was rejected. The reject statement is on line 3 (linenum) in the file /opt/pbul/policies/pb.conf (lineinfile).
/* Another test policy */ adminusers = {"sandy", "happy"}; okcommands = {"ls", "mount"}; if ((user in adminusers) && (command in okcommands)) { runuser = "root"; accept; }
sandy executes the command:
pbrun ls
The event log from a pblog -l is similar to:
Accept 2010/06/23 11:43:44 sandy@octopus.company.com -> root@octopus.company.com by octopus.company.com ls Command finished with exit status 0 argc = 1 argv = {"ls"} bkgd = 0 clienthost = "octopus.company.com" command = "ls" cwd = "/tmp" date = "2010/06/23" day = 23 dayname = "Wed" env = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"} event = "Accept" eventlog = "/var/log/pb.eventlog" exitdate = "2010/06/23" exitstatus = "Command finished with exit status 0" exittime = "11:43:45" false = 0 group = "uts" groups = {"uts"} host = "octopus.company.com" hour = 11 i18n_date = "06/23/10" i18n_day = "23" i18n_dayname = "Wed" i18n_exitdate = "06/23/10" i18n_exittime = "11:43:45" i18n_hour = "11" i18n_minute = "43" i18n_month = "06" i18n_time = "11:43:44" i18n_year = "2010" iolog = "" lineinfile = "/opt/pbul/policies/pb.conf" linenum = "1" localmode = 0 lognopassword = 1 logpid = 18829 logport = "32224" logservers = {"octopus"} logstderr = 1 logstdin = 1 logstdout = 1 masterhost = "octopus.company.com" masterlocale = "C" minute = 43 month = 6 nice = 0 optarg = "" opterr = 1 optimizedrunmode = 1 optind = 1 optopt = "" optreset = 1 optstrictparameters = 1 pbclientmode = "run" pbclientname = "pbrun" pblogdmachine = "i686" pblogdnodename = "octopus" pblogdrelease = "2.6.22.5-31-default" pblogdsysname = "Linux" pblogdversion = "#1 SMP 2007/09/21 22:29:00 UTC" pbmasterdmachine = "i686" pbmasterdnodename = "octopus" pbmasterdrelease = "2.6.22.5-31-default" pbmasterdsysname = "Linux" pbmasterdversion = "#1 SMP 2007/09/21 22:29:00 UTC" pbrunmachine = "i686" pbrunnodename = "octopus" pbrunrelease = "2.6.22.5-31-default" pbrunsysname = "Linux" pbrunversion = "#1 SMP 2007/09/21 22:29:00 UTC" pbversion = "6.1.0-15" pid = 18824 psmcmapid = "7f0000024c2255e04986" ptyflags = 7 rejectnullpasswords = 0 requestuser = "sandy" rlimit_as = -977616896 rlimit_core = 0 rlimit_cpu = -1 rlimit_data = -1 rlimit_fsize = -1 rlimit_locks = -1 rlimit_memlock = 32768 rlimit_nofile = 1024 rlimit_nproc = 15349 rlimit_rss = 1692928000 rlimit_stack = 8388608 runargv = {"ls"} runbkgd = 0 runcommand = "ls" runcwd = "/tmp" runenablerlimits = 0 runenv = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"} rungroup = "uts" rungroups = {"uts"} runhost = "octopus.company.com" runlocalmode = 0 runnice = 0 runoptimizedrunmode = 1 runpid = 18822 runptyflags = 7 runrlimit_as = -977616896 runrlimit_core = 0 runrlimit_cpu = -1 runrlimit_data = -1 runrlimit_fsize = -1 runrlimit_locks = -1 runrlimit_memlock = 32768 runrlimit_nofile = 1024 runrlimit_nproc = 15349 runrlimit_rss = 1692928000 runrlimit_stack = 8388608 runsolarisproject = "" runtimeout = 0 runtimeoutoverride = 0 runumask = 18 runuser = "sandy" solarisproject = "" status = 0 submithost = "octopus.company.com" submithostip = "127.0.0.2" submitlocale = "en_US.UTF-8" submitpid = 18822 subprocuser = "root" time = "11:43:44" timezone = "PDT" true = 1 ttyname = "/dev/pts/20" umask = 18 uniqueid = "7f0000024c2255e04988" user = "sandy" year = 2010
The major differences between the output of this pblog -v example and the previous one are:
- The inclusion of the run variables (runcommand, runuser, rungroup, and so forth)
- The inclusion of the exit variables (exittime, exitdate, and an updated exitstatus)
- The user-defined variables adminusers and okcommands
By looking at the values in this output, you can determine the following:
- When a user ran a command (time and date)
- Where a user ran the command (ttyname and submithost)
- The command that the user requested (command)
- Which command was actually run (runcommand)
- What user the command was run as (runuser)
- How it terminated (exitstatus)
- The value of locale settings (values of LC_xxxx environment variables) on the submithost and Policy Server host (submitlocale and masterlocale)
For example, on a Linux platform when all LC_xxxx (LC_CTYPE, LC_MONETARY, LC_TIME, etc.) variables are set to the same value, submitlocale displays as "C"; however, on an HP or AIX platform, it displays as "C C C C C".
In addition on the same Linux platform where LC_CTYPE is set to "POSIX" for example and everything else is set to "C", then submitlocale displays as follows:
LC_CTYPE=POSIX;LC_NUMERIC=C;LC_TIME=C;LC_COLLATE=C;LC_MONETARY=C;LC_ MESSAGES=C;LC_PAPER=C;LC_NAME=C;LC_ADDRESS=C;LC_TELEPHONE=C;LC_ MEASUREMENT=C;LC_IDENTIFICATION=C
On HP with those same settings, submitlocale displays as "C POSIX C C C C".