From mboxrd@z Thu Jan  1 00:00:00 1970
From: Robert Evans <bob.evans@jhuapl.edu>
Subject: RHEL 4 configuration (more info)
Date: Tue, 12 Jun 2007 15:11:57 -0400
Message-ID: <466EEFFD.70604@jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l5CJCN2P003770
	for <linux-audit@redhat.com>; Tue, 12 Jun 2007 15:12:23 -0400
Received: from jhuapl.edu (pilot.jhuapl.edu [128.244.198.200])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l5CJCKCa010963
	for <linux-audit@redhat.com>; Tue, 12 Jun 2007 15:12:20 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Updated info on my question.

 From the original message:

 >>>> original question <<<<

I've got auditing running pretty well on Fedora and looks like SuSE as well, but 
RHEL 4 is giving me some problems.

I'm working off of RHEL 4 with the following updated packages:

   kernel-smp-2.6.9-55.EL.x86_64
   kernel-smp-devel-2.6.9-55.EL.x86_64
   glibc-kernheaders-2.4_9.1.100.EL.x86_64
   audit-libs-1.0.15-3.EL4.x86_64
   audit-1.0.15-3.EL4.x86_64

All other packages are at the original RHEL4 distribution level.

 >>>> Updated info <<<<<

It turns out I had the audit=1 flag set in /etc/grub.conf.  I thought I was 
supposed to include that, but if I removed that, I saw the login/logout 
events...so my original problem is resolved.

Now I'm back to my old problem of SSH doesn't show logouts.  I know that the 
version on RHEL 4 is too old to generate the logouts, but I don't see a new 
enough version of packages for openssh on redhat.com.

I see newer versions of openssh on openssh.org, but I tried to compile those, 
and use the sshd daemon in place of the one on the distro, and still no luck on ssh.

Are there "magic" flags I need to set if I compile openssh myself, or any 
special configuration options to have it work with auditd?

Thanks again!

Bob Evans