From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Missing login records - Audit functionality in different kernel versions
Date: Thu, 30 May 2019 08:30:52 -0400 [thread overview]
Message-ID: <9453511.RplY5aRnKT@x2> (raw)
In-Reply-To: <AxkNEg.6xBamOA67vUU.O6mFWVI0mE32fIXmL36@freemail.hu>
Hello,
On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote:
> I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the
> audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and
> USER_LOGIN record types at all, Only USER_LOGIN types.
>
> As I understand these records should be there without any rules set.
> https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html
Yes. These are sent by pam. So, the question would be, is your copy of pam
compiled with audit support?
ldd /usr/lib64/libpam_misc.so | grep libaudit
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f06c2c39000)
> On another server with kernel version 4.9 it works properly. Is there a
> possibility that this Audit functionality is not implemented in kernel
> version 3.2, or is this just a configuration issue on my side?
This should be pam.
-Steve
> We have too many Debian 3.x production servers to consider kernel upgrade
> being an option.
>
> If it's a kernel issue, could you please recommend any workaround?
> Currently I am thinking on parsing the auth.log
>
> Many thanks,
> Robert
>
> auditd.conf:
> log_file = /var/log/audit/audit.log
> log_format = RAW
> log_group = root
> priority_boost = 4
> flush = INCREMENTAL
> freq = 20
> num_logs = 4
> disp_qos = lossy
> dispatcher = /sbin/audispd
> name_format = NONE
> ##name = mydomain
> max_log_file = 5
> max_log_file_action = ROTATE
> space_left = 75
> space_left_action = SYSLOG
> action_mail_acct = root
> admin_space_left = 50
> admin_space_left_action = SUSPEND
> disk_full_action = SUSPEND
> disk_error_action = SUSPEND
> ##tcp_listen_port =
> tcp_listen_queue = 5
> tcp_max_per_addr = 1
> ##tcp_client_ports = 1024-65535
> tcp_client_max_idle = 0
> enable_krb5 = no
> krb5_principal = auditd
> ##krb5_key_file = /etc/audit/audit.key
next prev parent reply other threads:[~2019-05-30 12:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-30 7:37 Missing login records - Audit functionality in different kernel versions Róbert Nagy
2019-05-30 12:30 ` Steve Grubb [this message]
2019-05-30 15:11 ` Róbert Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9453511.RplY5aRnKT@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.