Read Verbose Event Log Entries
Given the following simple policy:
/* This is a test */ if (user == "sandy") reject;
The output when pblog -l is run is as follows:
Reject 2010/06/23 11:33:34 sandy@octopus.company.com by root@octopus.company.com
ls
Request rejected by pbmasterd on octopus.company.com.
argc = 1
argv = {"ls"} bkgd = 0
clienthost = "octopus.company.com"
command = "ls"
cwd = "/var/log"
date = "2010/06/23"
day = 23 dayname = "Wed"
env = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"}
event = "Reject"
eventlog = "/var/log/pb.eventlog"
exitstatus = "Request rejected by pbmasterd on octopus.company.com.[a]" false = 0
group = "uts" groups = {"uts"}
host = "octopus.company.com" hour = 11
i18n_date = "06/23/10" i18n_day = "23"
i18n_dayname = "Wed" i18n_hour = "11"
i18n_minute = "33"
i18n_month = "06"
i18n_time = "11:33:34"
i18n_year = "2010" iolog = ""
lineinfile = "/opt/pbul/policies/pb.conf"
linenum = "1"
localmode = 0
lognopassword = 1
logport = "32224" logservers = {"sandy"}
logstderr = 1
logstdin = 1
logstdout = 1
masterhost = "octopus.company.com"
masterlocale = "C"
minute = 33
month = 6
nice = 0 optarg = ""
opterr = 1
optimizedrunmode = 1
optind = 1
optopt = ""
optreset = 1
optstrictparameters = 1
pbclientmode = "run"
pbclientname = "pbrun"
pblogdmachine = "i686"
pblogdnodename = "sandy"
pblogdrelease = "2.6.22.5-31-default"
pblogdsysname = "Linux"
pblogdversion = "#1 SMP 2007/09/21 22:29:00 UTC"
pbmasterdmachine = "i686"
pbmasterdnodename = "sandy"
pbmasterdrelease = "2.6.22.5-31-default"
pbmasterdsysname = "Linux"
pbmasterdversion = "#1 SMP 2007/09/21 22:29:00 UTC"
pbrunmachine = "i686"
pbrunnodename = "sandy"
pbrunrelease = "2.6.22.5-31-default"
pbrunsysname = "Linux"
pbrunversion = "#1 SMP 2007/09/21 22:29:00 UTC"
pbversion = "6.1.0-15"
pid = 18511
psmcmapid = "7f0000024c22537e484D"
ptyflags = 7
rejectnullpasswords = 0 requestuser = "sandy" rlimit_as = -977616896
rlimit_core = 0
rlimit_cpu = -1
rlimit_data = -1
rlimit_fsize = -1
rlimit_locks = -1
rlimit_memlock = 32768
rlimit_nofile = 1024
rlimit_nproc = 15349
rlimit_rss = 1692928000
rlimit_stack = 8388608
runargv = {"ls"}
runbkgd = 0
runcommand = "ls"
runcwd = "/var/log"
runenablerlimits = 0
runenv = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"}
rungroup = "sandy"
rungroups = {"sandy", "amanda"}
runhost = "octopus.company.com"
runlocalmode = 0
runnice = 0
runoptimizedrunmode = 1
runptyflags = 7
runrlimit_as = -977616896
runrlimit_core = 0
runrlimit_cpu = -1
runrlimit_data = -1
runrlimit_fsize = -1
runrlimit_locks = -1
runrlimit_memlock = 32768
runrlimit_nofile = 1024
runrlimit_nproc = 15349
runrlimit_rss = 1692928000
runrlimit_stack = 8388608
runsolarisproject = ""
runtimeout = 0
runtimeoutoverride = 0
runumask = 18 runuser = "sandy"
solarisproject = "" status = 0
submithost = "octopus.company.com"
submithostip = "127.0.0.2"
submitlocale = "en_US.UTF-8" submitpid = 18509
subprocuser = "sandy" time = "11:33:34"
timezone = "PDT" true = 1
ttyname = "/dev/pts/20"
umask = 18
uniqueid = "7f0000024c22537e484F"
user = "sandy"
year = 2010This log can be read as the request was rejected. The reject statement is on line 3 (linenum) in the file /opt/pbul/policies/pb.conf (lineinfile).
Given a policy where an Accept can happen:
/* Another test policy */
adminusers = {"sandy", "happy"};
okcommands = {"ls", "mount"};
if ((user in adminusers) && (command in okcommands))
{
runuser = "root"; accept;
}sandy executes the command:
pbrun ls
The event log from a pblog -l is similar to:
Accept 2010/06/23 11:43:44 sandy@octopus.company.com -> root@octopus.company.com by octopus.company.com ls
Command finished with exit status 0 argc = 1
argv = {"ls"} bkgd = 0
clienthost = "octopus.company.com"
command = "ls"
cwd = "/tmp"
date = "2010/06/23" day = 23
dayname = "Wed"
env = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"}
event = "Accept"
eventlog = "/var/log/pb.eventlog"
exitdate = "2010/06/23"
exitstatus = "Command finished with exit status 0"
exittime = "11:43:45"
false = 0 group = "uts"
groups = {"uts"}
host = "octopus.company.com"
hour = 11
i18n_date = "06/23/10" i18n_day = "23"
i18n_dayname = "Wed"
i18n_exitdate = "06/23/10"
i18n_exittime = "11:43:45"
i18n_hour = "11"
i18n_minute = "43"
i18n_month = "06"
i18n_time = "11:43:44"
i18n_year = "2010" iolog = ""
lineinfile = "/opt/pbul/policies/pb.conf"
linenum = "1"
localmode = 0
lognopassword = 1
logpid = 18829
logport = "32224" logservers = {"octopus"}
logstderr = 1
logstdin = 1
logstdout = 1
masterhost = "octopus.company.com"
masterlocale = "C"
minute = 43
month = 6
nice = 0
optarg = ""
opterr = 1
optimizedrunmode = 1
optind = 1
optopt = ""
optreset = 1
optstrictparameters = 1
pbclientmode = "run"
pbclientname = "pbrun"
pblogdmachine = "i686"
pblogdnodename = "octopus"
pblogdrelease = "2.6.22.5-31-default"
pblogdsysname = "Linux"
pblogdversion = "#1 SMP 2007/09/21 22:29:00 UTC"
pbmasterdmachine = "i686"
pbmasterdnodename = "octopus"
pbmasterdrelease = "2.6.22.5-31-default"
pbmasterdsysname = "Linux"
pbmasterdversion = "#1 SMP 2007/09/21 22:29:00 UTC"
pbrunmachine = "i686"
pbrunnodename = "octopus"
pbrunrelease = "2.6.22.5-31-default"
pbrunsysname = "Linux"
pbrunversion = "#1 SMP 2007/09/21 22:29:00 UTC"
pbversion = "6.1.0-15"
pid = 18824
psmcmapid = "7f0000024c2255e04986"
ptyflags = 7
rejectnullpasswords = 0 requestuser = "sandy"
rlimit_as = -977616896
rlimit_core = 0
rlimit_cpu = -1
rlimit_data = -1
rlimit_fsize = -1
rlimit_locks = -1
rlimit_memlock = 32768
rlimit_nofile = 1024
rlimit_nproc = 15349
rlimit_rss = 1692928000
rlimit_stack = 8388608
runargv = {"ls"} runbkgd = 0
runcommand = "ls"
runcwd = "/tmp"
runenablerlimits = 0
runenv = {"LANG=C", "PATH=.:/usr/local/bin", "EDITOR=vi", "LOGNAME=sandy", "MAIL=/var/mail/sandy", "TERM=dtterm", "USER=sandy"}
rungroup = "uts"
rungroups = {"uts"}
runhost = "octopus.company.com"
runlocalmode = 0
runnice = 0
runoptimizedrunmode = 1
runpid = 18822
runptyflags = 7
runrlimit_as = -977616896
runrlimit_core = 0
runrlimit_cpu = -1
runrlimit_data = -1
runrlimit_fsize = -1
runrlimit_locks = -1
runrlimit_memlock = 32768
runrlimit_nofile = 1024
runrlimit_nproc = 15349
runrlimit_rss = 1692928000
runrlimit_stack = 8388608
runsolarisproject = ""
runtimeout = 0
runtimeoutoverride = 0
runumask = 18
runuser = "sandy"
solarisproject = ""
status = 0
submithost = "octopus.company.com"
submithostip = "127.0.0.2"
submitlocale = "en_US.UTF-8"
submitpid = 18822
subprocuser = "root"
time = "11:43:44"
timezone = "PDT" true = 1
ttyname = "/dev/pts/20"
umask = 18
uniqueid = "7f0000024c2255e04988"
user = "sandy"
year = 2010The major differences between the output of this pblog -v example and the previous one are:
- The inclusion of the run variables (runcommand, runuser, rungroup, and so forth)
- The inclusion of the exit variables (exittime, exitdate, and an updated exitstatus)
- The user-defined variables adminusers and okcommands
By looking at the values in this output, you can determine the following:
- When a user ran a command (time and date)
- Where a user ran the command (ttyname and submithost)
- The command that the user requested (command)
- Which command was actually run (runcommand)
- What user the command was run as (runuser)
- How it terminated (exitstatus)
- The value of locale settings (values of LC_xxxx environment variables) on the submithost and Policy Server host (submitlocale and masterlocale)
The value listed for these variables can differ depending on the platform, and also whether the LC_ xxxx variables are all set to the same value.
For example, on a Linux platform when all LC_xxxx (LC_CTYPE, LC_MONETARY, LC_TIME, etc.) variables are set to the same value, submitlocale displays as "C"; however, on an HP or AIX platform, it displays as "C C C C C".
In addition on the same Linux platform where LC_CTYPE is set to "POSIX" for example and everything else is set to "C", then submitlocale displays as follows:
LC_CTYPE=POSIX;LC_NUMERIC=C;LC_TIME=C;LC_COLLATE=C;LC_MONETARY=C;LC_ MESSAGES=C;LC_PAPER=C;LC_NAME=C;LC_ADDRESS=C;LC_TELEPHONE=C;LC_ MEASUREMENT=C;LC_IDENTIFICATION=C
On HP with those same settings, submitlocale displays as "C POSIX C C C C".
