Re: monitoring both logins and logouts via ssh in SLES10 SP1 RC2

Re: monitoring both logins and logouts via ssh in SLES10 SP1 RC2

[Michael Folsom]

Steve:

Thanks for the quick response -

Did a little test on a X86-64 SLES10 SP1 RC2 system - sshed into in
and did see the USER_LOGIN line then got out via either an exit or
logout and never see an USER_END statement.  Here's the relevant lines
from /var/log/audit/audit.log:

type=USER_AUTH msg=audit(1180108586.633:1292): user pid=31247 uid=0
auid=4294967295 msg='PAM: authentication acct=mwfolsom :
exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh
res=success)'
type=USER_ACCT msg=audit(1180108586.633:1293): user pid=31247 uid=0
auid=4294967295 msg='PAM: accounting acct=mwfolsom :
exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X,, terminal=ssh
res=success)'
type=LOGIN msg=audit(1180108586.637:1294): login pid=31248 uid=0 old
auid=4294967295 new auid=6122
type=USER_START msg=audit(1180108586.637:1295): user pid=31248 uid=0
auid=6122 msg='PAM: session open acct=mwfolsom : exe="/usr/sbin/sshd"
(hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1180108586.637:1296): user pid=31248 uid=0
auid=6122 msg='PAM: setcred acct=mwfolsom : exe="/usr/sbin/sshd"
(hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1180108586.641:1297): user pid=31245 uid=0
auid=4294967295 msg='uid=6122: exe="/usr/sbin/sshd" (hostname=X.X.X,
addr=X.X.X.X, terminal=/dev/pts/1 res=success)

>From playing with logging in and our via different means - the gdm
gui, the console, and ssh and then using grep on the log file it
appears that the other two routes record both login's and logout's but
ssh only records logins.

Could this be an issue in Suse's implementation of audit?



Thanks!


Michael

On 5/25/07, Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday 24 May 2007 19:07:21 Michael Folsom wrote:
> > Working with audit (ver=1.2.9) on SLES10 sp1 rc2 and wonder if it was
> > possible to monitor both logins and logouts.
>
> Logins are denoted by a USER_LOGIN event. There should also be a USER_START
> event from the same tty/pty or host, auid, and pid. This marks the beginning
> of a session. You should be able to look for a corresponding USER_END to
> denote the end of a session. If USER_START results indicates a failure, there
> will not be a USER_END.
>
> > Currently my system is recording when a user logs in but not when they log
> > out of a ssh session. Is this even possible?
>
> With a little inference, its possible. I started to put in a USER_LOGOUT
> event, but I decided its redundant when it can be inferred by the session
> events.
>
> -Steve
>

Re: monitoring both logins and logouts via ssh in SLES10 SP1 RC2

[Steve Grubb]

On Friday 25 May 2007 13:21, Michael Folsom wrote:
> Did a little test on a X86-64 SLES10 SP1 RC2 system - sshed into in
> and did see the USER_LOGIN line then got out via either an exit or
> logout and never see an USER_END statement. 

If I remember correctly, there was a bug in a patch to sshd that called 
pam_session_close from the unprivileged process. I think we moved this and 
sent the patch upstream.

> Could this be an issue in Suse's implementation of audit?

There might be a sshd patch that needs backporting from openssh cvs.

-Steve

RE: monitoring both logins and logouts via ssh in SLES10 SP1 RC2

[Wieprecht, Karen M.]

 Yep,  based on some earlier emails I saved,  I think Steve said that
ssh needs to be at version 4.3p2-13 or later  to  generate logout
(USER_END) audit records correctly.

Karen Wieprecht