Re: Offline configuration

[Steve Grubb <sgrubb@redhat.com>]

On Friday 25 May 2007 12:23, Robert Evans wrote:
> Do I need the latest of
>    audit-libs-devel

no

>    kernel as well?

Wouldn't hurt due to security fixes.

> Also, what other packages are critical to get NISPOM compliance?

NISPOM seems preoccupied with login/logout, account locking, blacklisting of 
terminals, audit trail generation, and audit reports.

The login/logout stuff is covered by pam, login, sshd, and gdm. Account 
locking is done by pam_tally2. I don't believe we do blacklisting of 
terminals like pam_tally does. And the audit trail is done by the kernel and 
audit package. I'd also update password and shadow-utils so that changes to 
accounts are audited.

> Even when I updated the above packages, it didn't look like failed logins on
> the gnome desktop were generating events.  I realize this may be particular
> to RHEL_64, but I also figured I could just have an outdated package.

Also, put audit=1 in boot parameters. The latest version of gdm is supposed to 
work with audit. There was an issue where the gdm pam configuration was not 
right. But it was corrected in the last release.

> I'm asking this because when I set up my audit rules on RHEL4_64 with the
> base auditing installed (none of the above updates).  I wasn't getting any
> login/logout events at all, based on my initial experience with the initial
> Fedora configurations, I assume that I need to install updated packages.

Yes, I would.

> It seems like Steve has put enough information in the event logs that it is
> possible to build a GUI that parses, combines, and then displays the event
> logs to the user.

Yes. I believe someone even sent one to this mail list about a year ago. We 
are planning to write one later this summer after the audit parsing library 
work is settled.

> The only gotcha I had with FC5 was that I needed the updated openssh
> packages to generate the events that indicated a logout event for ssh.

Yep.

-Steve