Re: Audit Prelude Logout Tracking

[LC Bruzenak <lenny@magitekltd.com>]

On Wed, 2009-02-18 at 16:58 -0500, Dan Gruhn wrote:
> I''m working on an X86_64  RHEL 5.2 system and for NISPOM Chapt. 8 I'm 
> looking to modify the audisp-prelude plugin so that I can get logout 
> events displayed.
> 
> I see the information in the audit.log as USER_END and have done a small 
> mod in the handle_event routine in audisp-prelude.c so that it looks for 
> AUDIT_USER_END but I've run across the following things:
> 
> 1) sshd goes through a login/logout cycle ending in USER_END and all is 
> good.
> node=node01 type=USER_END msg=audit(1234979707.894:203): user pid=7422 
> uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 
> msg='PAM: session close acct="root" : exe="/usr/sbin/sshd" 
> (hostname=master, addr=10.1.4.100, terminal=ssh res=success)'
> 
> 
> 
> 2) gdm-binary goes through the same login/logout cycle, but on the 
> USER_END audit message it is missing some information, in particular the 
> source hostname:
> node=master type=USER_END msg=audit(1234988646.589:364): user pid=6868 
> uid=0 auid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: 
> session close acct="root" : exe="/usr/sbin/gdm-binary" (hostname=?, 
> addr=?, terminal=:0 res=success)'
> 
> 3) When crond runs, it goes through a similar cycle (but without the 
> USER_LOGIN step) ending with USER_END
> node=master type=USER_END msg=audit(1234989001.710:371): user pid=9517 
> uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: 
> session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, 
> terminal=cron res=success)'
> 
> I want to ignore the crond operations and be able to fill in the 
> information from gdm-binary.  Has any one done this prelude logout 
> tracking before or have any ideas how I can proceed.
> 
> As always, a pointer to more information is quite acceptable.
> 
> Dan
> 

Dan,

As I myself eventually learned, the hostname/addr info is only for
remote access information. The gdm process doesn't get that filled in,
nor does crond.

As for the logouts being sent to prelude, I preferred that as well but
no one (except me) felt that a logout was security-worthy in the context
of IDS events IIRC. I wanted them somewhat for the same reason - because
then it told a complete story. Also I believe there is a need due to
screenlocks - if someone else can login while your screen is locked then
there isn't a trace back to when they logged out. I haven't looked at
that for a while though; not sure it it is still possible.

I myself patch the audisp-prelude.c code so I can catch some application
events there and send to prelude as well.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com