IBM Support

InfoSphere Guardium: How To Interpret UID Chain

Question & Answer


Question

Why the UID chain content in Guardium report contains "root" user information but user never used the "root" account to connect to AIX/Linux? How to interpret the uid chain content correctly? E.g I only used "informix" user to login AIX server then issued "dbaccess", but the uid chain looks like below: (1,root,/etc/init)->(3080192,root,/usr/sbin/srcmstr)->(3604610,root,/usr/sbin/inetd)->(7864364, root,telnetd -a)->(16711826,informix,-ksh)->(14352540,informix,dbaccess) Why there are so many "root" user information?

Answer

UID chain is a mechanism which allows the S-TAP (by way of K-TAP) to track the chain of users that occurred prior to a database connection. With UID chain, we are able to trace this process back to the process that called it and so on back to the original (offending) user.

In the above example, uid chain works like below:
1. Firstly it found the dbaccess's process id: 14352540, with user "informix"
2. Then it traced that process 14352540 is called by process 16711826 which is "-ksh", still with user "informix"
3. Then process 16711826(-ksh) is called by process 7864364, which is "telnetd -a", with user "root"
4. Likewise, process 7864364(telnetd -a) is called by process 3604610(/usr/sbin/inetd) with user "root"
5. Then process 3604610(/usr/sbin/inetd) is called by process 3080192 (/usr/sbin/srcmstr) with user "root"
6. Finally it found out process 3080192 (/usr/sbin/srcmstr) is called by process 1 (/etc/init) with user "root". This is the very original process found and is not called by another other process.

The reason that the "root" info appeared in the uid chain, is because user is using "telnet" utility to connect to the AIX server. If client is using "telnet" to connect to AIX, you can identify the first user login right after the "telnetd -a" process, e.g. (19857646, root,telnetd -a). In this case, "informix" is the first user to login via telnet.

Similarly, if client is using ssh to connect to server, the uid chain may look like below:
(2882,root,/usr/sbin/sshd)->(14031,root,sshd: informix [priv])->(14033,informix,sshd: informix@pts/0)->(14034,informix,-bash)->(14778,root,su -)->(14779,root,-bash)->(15342,root,su - sybase)->(15343,sybase,-bash)->(15421,sybase,isql -U sa -xx -S sn0maver)

In this case, user uses "informix" to login via ssh (so the first uid is the sshd process); then "su -"-> "su - sybase", then "isql -U sa -xx -S sn0maver". If you want to find out who is the first user to login via ssh, then you need to locate the "/usr/sbin/sshd" process id in the uid chain; and the one right after it is the first user that logs in. In this case, "informix" is the first user to login via ssh.

You may also use "UID CHAIN COMPRESSED" from Session entity to display UID CHAIN in another format. "UID CHAIN COMPRESSED" extracts a chain of all users from the original Uid Chain, collapsing it to have no duplicates if they appear sequentially and remove the first and last user, maintaining sort order, and creating a much shorter chain for ease of review.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.0;8.2;9.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"InfoSphere Guardium Database Activity Monitor","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.0;8.2;9.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21668544

Page Feedback