IBM 10 SP1 EAL4 manual Interaction with audit, Network applications

4.Processes command-line arguments.

5.Sets up the environment variable array.

6.Invokes pam_start() to initialize the PAM library, and to identify the application with a particular service name.

7.Invokes pam_set_item() to record the tty and user name.

8.Validates the user that the application invoker is trying to become.

9.Invokes pam_authenticate() to authenticate the application user. Terminal echo is turned off while the user is typing his or her password. Generates audit record to log the authentication attempt and its outcome.

10.Invokes pam_acct_mgmt() to perform module-specific account management.

11.If the application user is not root, it checks to make sure that the account permits su.

12.Makes new environment active.

13.Invokes setup_groups() to set primary and supplementary groups.

14.Invokes pam_setcred() to set parameters such as resource limits, console groups, and so on.

15.Becomes the new user by invoking change_uid(). For normal users, change_uid() sets the real and effective user ID. If the caller is root, real and saved user ID are set as well.

5.11.4Interaction with audit

Trusted processes and trusted commands of the identification and authentication subsystem are responsible for setting the credentials for a process. Once a user is successfully authenticated, these trusted processes and trusted commands associate the user’s identity to the processes, which are performing actions on behalf of the user.

The audit subsystem tries to record security-relevant actions performed by users. Because the user identity attributes such as uid can be changed by an appropriately privileged process, the audit subsystem in SLES provides a mechanism by which actions can be associated, irrefutably, to a login user.

This is achieved by extending the process task structure to contain a login id. This login id can only be set once, and once set cannot be changed, regardless of process privileges. Trusted processes and trusted programs that perform authentication set it. Programs such as login, cron, and sshd, which authenticate a user and associate a uid with the user process, set this login id to that uid corresponding to the login user.

5.12Network applications

This section describes the network applications subsystem. The network applications subsystem contains the Secure Socket Layer (SSL) interface, and the sshd and vsftpd trusted processes, which interact with the PAM modules to perform authentication. The network application subsystem also includes the ping program. These trusted processes and trusted programs recognize different hosts in the LAN by their IP addresses or their names. Host names are associated with IP addresses using the /etc/hosts file.

5.12.1OpenSSL Secure socket-layer interface

Network communications take place through well-known standards that form the network stack. While public standards allow different systems to communicate with each other, they also open up the possibility of various kinds of attacks.

180