Re: openssh logout not being audited on fc5

From: Tomas Mraz <tmraz@redhat.com>
To: Justin Mattock <justinmattock@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>,
	"Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Subject: Re: openssh logout not being audited on fc5
Date: Thu, 06 Nov 2008 00:10:00 +0100	[thread overview]
Message-ID: <1225926600.3447.165.camel@vespa.frost.loc> (raw)
In-Reply-To: <dd18b0c30811051503w6a98d3f1m6c2569dcf9c3f4d2@mail.gmail.com>

On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote:
> On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <tmraz@redhat.com> wrote:
> > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote:
> >> All,
> >> been google-ing all day, so sorry if this info is common knowledge,
> >> but I can't seem to find it.
> >>
> >> Trying to build FC5 (2.6.20-1.2320-fc5)  system to meet a sponsor
> >> requirement (miserable task that it is), and I have to make this
> >> system be NISPOM compliant.   Unfortunately, ssh logout isn't showing
> >> up in my audit logs, and although I have an idea why, I can't seem to
> >> find what I think I need ...  The system I am building has the
> >> following:
> >>
> >> OS                    = FC5
> >> audit subsystem = 1.3-2
> >> openssh             = 4.3p2-4.12
> >> kernel                 = 2.6.20-1.2320-fc5
> >>
> >> My RHEL4 systems capture ssh logout just fine , and  they are at
> >> earlier versions of both openssh and the audit subsystem...   I found
> >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the
> >> ssh logout  problem for (I think) SuSe 10.1, so I thought I'd try and
> >> find a later version of open ssh or at least a src.rpm to build a
> >> newer version for fc5 ,  but I didn't have much luck. Found a 4.3p2-16
> >> src.rpm for el5, but of course, that didn't build properly on my fc5
> >> system .
> >>
> >> Anyone know if I'm chasing my tail?  maybe something else will fix
> >> this for FC5 (newer audit pkg? )?   Recommendations would be most
> >> appreciated.   If you all think I DO need a newer openssh version,
> >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12?
> >
> > You could try to add the relevant patch from the RHEL 5 openssh src.rpm
> > to the FC5 package. But is it really good idea to use such old package
> > at all? There are unfixed CVEs and so on. Of course this applies to the
> > rest of the FC5 distribution as well.
> > --
> > Tomas Mraz
> > No matter how far down the wrong road you've gone, turn back.
> >                                              Turkish proverb
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> 
> out of curiosity would this have something
> to do with the audit=1 option as a boot param?

Nope. The old (or unpatched) openssh just called pam_close_session()
incorrectly.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb