pam_loginuid

To use pam_loginuid, it is configured within PAM service configuration files, typically in the session stack. The common syntax is:

session required pam_loginuid.so [options]

or

session optional pam_loginuid.so [options]

Place this entry early in the session stack of relevant PAM configuration files (e.g., /etc/pam.d/login, /etc/pam.d/sshd, /etc/pam.d/sudo).

require_audit_info
    This option makes the module only attempt to set the loginuid if audit information (like session ID) is already available. If not, it skips setting the loginuid rather than failing.

debug
    Enables verbose debug messages to be logged via syslog, which can be useful for troubleshooting PAM configurations.

strict
    If specified, the module will fail the PAM authentication if it is unable to set the loginuid. This typically happens if the process is not a session leader (e.g., a background daemon not initiated by a login). By default, the module silently succeeds if it cannot set the loginuid in such cases.

no_autopause
    (Systemd specific) Prevents systemd from automatically pausing the session when loginuid is set. This is rarely needed for typical PAM configurations.

allow_non_tty
    (Systemd specific) Allows the module to attempt to set loginuid even if no TTY is associated with the session. Useful for services that run without a TTY but still require audit tracking.

pam_loginuid is a Pluggable Authentication Module (PAM) that is responsible for setting the kernel's loginuid for a user's session. The loginuid is a special identifier associated with a process, indicating the original user who logged in and initiated the session. This ID is crucial for the Linux Audit Subsystem, as it allows all subsequent audit events originating from that session, regardless of any later UID changes (e.g., via su or sudo), to be correctly attributed to the original user. This ensures a consistent and traceable audit trail for security and compliance purposes.

The module is typically configured as a session module in PAM service files (e.g., /etc/pam.d/sshd, /etc/pam.d/login). It should ideally be the first module in the session stack to set the loginuid. If the loginuid is already set (e.g., by sudo), pam_loginuid will not overwrite it, ensuring that the original session initiator remains correctly identified.

The loginuid can only be set once per process. If it's already set (e.g., by an earlier PAM module or by sudo), pam_loginuid will not overwrite it. It's crucial for the process to be a session leader for pam_loginuid to function correctly. Processes not initiated by a direct login (like those started by at or cron) might not have a loginuid set unless specifically handled by their parent process. Ensure the Linux Audit Subsystem is active and running (e.g., auditd service) for the loginuid to be effectively utilized.

To configure pam_loginuid, you typically add a line to the session stack of relevant PAM configuration files. For example, in /etc/pam.d/sshd for SSH logins:

session required pam_loginuid.so

This ensures that every SSH session initiated by a user has its loginuid set to that user's ID, enabling proper auditing of all actions performed within that session.

When a user logs in, pam_loginuid sets their loginuid. If that user then uses sudo or su to change their effective user ID, the original loginuid typically persists. This means that even if a user becomes root, all audit events are still logged with the loginuid of the original user who logged in, providing a complete audit trail that tracks who initiated the session, regardless of subsequent privilege escalation.

The concept of an auditable user ID, or loginuid, has been an integral part of the Linux Audit Subsystem since its inception. pam_loginuid emerged as a necessary PAM module to automate the setting of this critical identifier upon user login, ensuring that audit events are consistently linked to the initial session creator. Its development paralleled the maturation of the Linux audit framework, providing a robust, user-space mechanism to integrate session tracking directly with system authentication and authorization processes managed by PAM. While the core functionality has remained stable, minor enhancements and options have been added over time to address specific deployment scenarios and interactions with other system components like systemd.

pam(8), auditd(8), auditctl(8), loginuid(2), pam.conf(5), pam.d(5), augenrules(8)