From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Mraz Subject: Re: openssh logout not being audited on fc5 Date: Thu, 06 Nov 2008 00:10:00 +0100 Message-ID: <1225926600.3447.165.camel@vespa.frost.loc> References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> <1225926005.3447.164.camel@vespa.frost.loc> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Justin Mattock Cc: "linux-audit@redhat.com" , "Wieprecht, Karen M." List-Id: linux-audit@redhat.com On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: > On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz wrote: > > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: > >> All, > >> been google-ing all day, so sorry if this info is common knowledge, > >> but I can't seem to find it. > >> > >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor > >> requirement (miserable task that it is), and I have to make this > >> system be NISPOM compliant. Unfortunately, ssh logout isn't showing > >> up in my audit logs, and although I have an idea why, I can't seem to > >> find what I think I need ... The system I am building has the > >> following: > >> > >> OS = FC5 > >> audit subsystem = 1.3-2 > >> openssh = 4.3p2-4.12 > >> kernel = 2.6.20-1.2320-fc5 > >> > >> My RHEL4 systems capture ssh logout just fine , and they are at > >> earlier versions of both openssh and the audit subsystem... I found > >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the > >> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try and > >> find a later version of open ssh or at least a src.rpm to build a > >> newer version for fc5 , but I didn't have much luck. Found a 4.3p2-16 > >> src.rpm for el5, but of course, that didn't build properly on my fc5 > >> system . > >> > >> Anyone know if I'm chasing my tail? maybe something else will fix > >> this for FC5 (newer audit pkg? )? Recommendations would be most > >> appreciated. If you all think I DO need a newer openssh version, > >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? > > > > You could try to add the relevant patch from the RHEL 5 openssh src.rpm > > to the FC5 package. But is it really good idea to use such old package > > at all? There are unfixed CVEs and so on. Of course this applies to the > > rest of the FC5 distribution as well. > > -- > > Tomas Mraz > > No matter how far down the wrong road you've gone, turn back. > > Turkish proverb > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > out of curiosity would this have something > to do with the audit=1 option as a boot param? Nope. The old (or unpatched) openssh just called pam_close_session() incorrectly. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb