From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Offline configuration
Date: Fri, 25 May 2007 14:10:51 -0400
Message-ID: <200705251410.52061.sgrubb@redhat.com>
References: <46570D8C.8090504@jhuapl.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <46570D8C.8090504@jhuapl.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Robert Evans <bob.evans@jhuapl.edu>
List-Id: linux-audit@redhat.com

On Friday 25 May 2007 12:23, Robert Evans wrote:
> Do I need the latest of
> =A0 =A0audit-libs-devel

no

> =A0 =A0kernel as well?

Wouldn't hurt due to security fixes.

> Also, what other packages are critical to get NISPOM compliance?

NISPOM seems preoccupied with login/logout, account locking, blacklisting=
 of=20
terminals, audit trail generation, and audit reports.

The login/logout stuff is covered by pam, login, sshd, and gdm. Account=20
locking is done by pam_tally2. I don't believe we do blacklisting of=20
terminals like pam_tally does. And the audit trail is done by the kernel =
and=20
audit package. I'd also update password and shadow-utils so that changes =
to=20
accounts are audited.

> Even when I updated the above packages, it didn't look like failed logi=
ns on
> the gnome desktop were generating events. =A0I realize this may be part=
icular
> to RHEL_64, but I also figured I could just have an outdated package.

Also, put audit=3D1 in boot parameters. The latest version of gdm is supp=
osed to=20
work with audit. There was an issue where the gdm pam configuration was n=
ot=20
right. But it was corrected in the last release.

> I'm asking this because when I set up my audit rules on RHEL4_64 with t=
he
> base auditing installed (none of the above updates). =A0I wasn't gettin=
g any
> login/logout events at all, based on my initial experience with the ini=
tial
> Fedora configurations, I assume that I need to install updated packages=
.

Yes, I would.

> It seems like Steve has put enough information in the event logs that i=
t is
> possible to build a GUI that parses, combines, and then displays the ev=
ent
> logs to the user.

Yes. I believe someone even sent one to this mail list about a year ago. =
We=20
are planning to write one later this summer after the audit parsing libra=
ry=20
work is settled.

> The only gotcha I had with FC5 was that I needed the updated openssh
> packages to generate the events that indicated a logout event for ssh.

Yep.

-Steve