From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Wieprecht, Karen M." Subject: openssh logout not being audited on fc5 Date: Wed, 5 Nov 2008 15:20:23 -0500 Message-ID: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0553346180==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mA5KKdcS019503 for ; Wed, 5 Nov 2008 15:20:39 -0500 Received: from jhuapl.edu (pilot.jhuapl.edu [128.244.198.200]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id mA5KKbXS016985 for ; Wed, 5 Nov 2008 15:20:38 -0500 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============0553346180== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_54FBB3490A6F3249BFA660814E9114EB9221410CD4aplesstripedo_" --_000_54FBB3490A6F3249BFA660814E9114EB9221410CD4aplesstripedo_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable All, been google-ing all day, so sorry if this info is common knowledge, but I c= an't seem to find it. Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor requireme= nt (miserable task that it is), and I have to make this system be NISPOM co= mpliant. Unfortunately, ssh logout isn't showing up in my audit logs, and= although I have an idea why, I can't seem to find what I think I need ... = The system I am building has the following: OS =3D FC5 audit subsystem =3D 1.3-2 openssh =3D 4.3p2-4.12 kernel =3D 2.6.20-1.2320-fc5 My RHEL4 systems capture ssh logout just fine , and they are at earlier ve= rsions of both openssh and the audit subsystem... I found a note from a c= olleague about needing openssh >=3D 4.3p2-4.13 to fix the ssh logout probl= em for (I think) SuSe 10.1, so I thought I'd try and find a later version o= f open ssh or at least a src.rpm to build a newer version for fc5 , but I = didn't have much luck. Found a 4.3p2-16 src.rpm for el5, but of course, tha= t didn't build properly on my fc5 system . Anyone know if I'm chasing my tail? maybe something else will fix this for= FC5 (newer audit pkg? )? Recommendations would be most appreciated. If= you all think I DO need a newer openssh version, anyone know where I can g= et a src.rpm for fc5 later than 4.3p2-4.12? Thanks, Karen Wieprecht --_000_54FBB3490A6F3249BFA660814E9114EB9221410CD4aplesstripedo_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

All,

been goog= le-ing all=20 day, so sorry if this info is common knowledge, but I can't seem to find=20 it.

Trying to= build FC5=20 (2.6.20-1.2320-fc5) system to meet a sponsor requirement (miserable t= ask=20 that it is), and I have to make this system be NISPOM compliant. = ;=20 Unfortunately, ssh logout isn't showing up in my audit logs, and although I= have=20 an idea why, I can't seem to find what I think I need ... The system = I am=20 building has the following:

OS &nbs= p; =20 =3D FC5

audit=20 subsystem =3D 1.3-2

openssh = ; =20 =3D 4.3p2-4.12

kernel = =20 =3D 2.6.20-1.2320-fc5

My RHEL4 = systems=20 capture ssh logout just fine , and they are at earlier versions of bo= th=20 openssh and the audit subsystem... I found a note from a collea= gue=20 about needing openssh >=3D 4.3p2-4.13 to fix the ssh logout p= roblem=20 for (I think) SuSe 10.1, so I thought I'd try and find a later version of o= pen=20 ssh or at least a src.rpm to build a newer version for fc5 , but I di= dn't=20 have much luck. Found a 4.3p2-16 src.rpm for el5, but of course, that didn'= t=20 build properly on my fc5 system .

Anyone kn= ow if I'm=20 chasing my tail? maybe something else will fix this for FC5 (newer au= dit=20 pkg? )? Recommendations would be most appreciated.&nb= sp;=20 If you all think I DO need a newer openssh version, anyone know where= I=20 can get a src.rpm for fc5 later than 4.3p2-4.12?

Thanks,

Karen=20 Wieprecht

--_000_54FBB3490A6F3249BFA660814E9114EB9221410CD4aplesstripedo_-- --===============0553346180== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0553346180==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: openssh logout not being audited on fc5 Date: Wed, 5 Nov 2008 15:34:23 -0500 Message-ID: <200811051534.23967.sgrubb@redhat.com> References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Wieprecht, Karen M." List-Id: linux-audit@redhat.com On Wednesday 05 November 2008 15:20:23 Wieprecht, Karen M. wrote: > Unfortunately, ssh logout isn't showing up in my audit logs, and although I > have an idea why, I can't seem to find what I think I need ... The system I > am building has the following: FC-5 is so long ago that I don't remember the problem. The audit packages are sort of tuned to go with the kernel of that era, so I don't know if you can take the audit package from FC-6 and use it on FC-5. But as for openssh, you can possibly try the FC-6 package here: http://archives.fedoraproject.org/pub/archive/fedora/linux/core/updates/6/SRPMS/openssh-4.3p2-25.fc6.src.rpm > OS = FC5 > audit subsystem = 1.3-2 > openssh = 4.3p2-4.12 > kernel = 2.6.20-1.2320-fc5 I believe this should have worked. Anyways maybe the newer openssh package does it. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Mraz Subject: Re: openssh logout not being audited on fc5 Date: Thu, 06 Nov 2008 00:00:05 +0100 Message-ID: <1225926005.3447.164.camel@vespa.frost.loc> References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Wieprecht, Karen M." Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: > All, > been google-ing all day, so sorry if this info is common knowledge, > but I can't seem to find it. > > Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor > requirement (miserable task that it is), and I have to make this > system be NISPOM compliant. Unfortunately, ssh logout isn't showing > up in my audit logs, and although I have an idea why, I can't seem to > find what I think I need ... The system I am building has the > following: > > OS = FC5 > audit subsystem = 1.3-2 > openssh = 4.3p2-4.12 > kernel = 2.6.20-1.2320-fc5 > > My RHEL4 systems capture ssh logout just fine , and they are at > earlier versions of both openssh and the audit subsystem... I found > a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the > ssh logout problem for (I think) SuSe 10.1, so I thought I'd try and > find a later version of open ssh or at least a src.rpm to build a > newer version for fc5 , but I didn't have much luck. Found a 4.3p2-16 > src.rpm for el5, but of course, that didn't build properly on my fc5 > system . > > Anyone know if I'm chasing my tail? maybe something else will fix > this for FC5 (newer audit pkg? )? Recommendations would be most > appreciated. If you all think I DO need a newer openssh version, > anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? You could try to add the relevant patch from the RHEL 5 openssh src.rpm to the FC5 package. But is it really good idea to use such old package at all? There are unfixed CVEs and so on. Of course this applies to the rest of the FC5 distribution as well. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Justin Mattock" Subject: Re: openssh logout not being audited on fc5 Date: Wed, 5 Nov 2008 15:03:51 -0800 Message-ID: References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> <1225926005.3447.164.camel@vespa.frost.loc> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1225926005.3447.164.camel@vespa.frost.loc> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Tomas Mraz Cc: "linux-audit@redhat.com" , "Wieprecht, Karen M." List-Id: linux-audit@redhat.com On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz wrote: > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: >> All, >> been google-ing all day, so sorry if this info is common knowledge, >> but I can't seem to find it. >> >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor >> requirement (miserable task that it is), and I have to make this >> system be NISPOM compliant. Unfortunately, ssh logout isn't showing >> up in my audit logs, and although I have an idea why, I can't seem to >> find what I think I need ... The system I am building has the >> following: >> >> OS = FC5 >> audit subsystem = 1.3-2 >> openssh = 4.3p2-4.12 >> kernel = 2.6.20-1.2320-fc5 >> >> My RHEL4 systems capture ssh logout just fine , and they are at >> earlier versions of both openssh and the audit subsystem... I found >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the >> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try and >> find a later version of open ssh or at least a src.rpm to build a >> newer version for fc5 , but I didn't have much luck. Found a 4.3p2-16 >> src.rpm for el5, but of course, that didn't build properly on my fc5 >> system . >> >> Anyone know if I'm chasing my tail? maybe something else will fix >> this for FC5 (newer audit pkg? )? Recommendations would be most >> appreciated. If you all think I DO need a newer openssh version, >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? > > You could try to add the relevant patch from the RHEL 5 openssh src.rpm > to the FC5 package. But is it really good idea to use such old package > at all? There are unfixed CVEs and so on. Of course this applies to the > rest of the FC5 distribution as well. > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > out of curiosity would this have something to do with the audit=1 option as a boot param? -- Justin P. Mattock From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Mraz Subject: Re: openssh logout not being audited on fc5 Date: Thu, 06 Nov 2008 00:10:00 +0100 Message-ID: <1225926600.3447.165.camel@vespa.frost.loc> References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> <1225926005.3447.164.camel@vespa.frost.loc> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Justin Mattock Cc: "linux-audit@redhat.com" , "Wieprecht, Karen M." List-Id: linux-audit@redhat.com On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: > On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz wrote: > > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: > >> All, > >> been google-ing all day, so sorry if this info is common knowledge, > >> but I can't seem to find it. > >> > >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor > >> requirement (miserable task that it is), and I have to make this > >> system be NISPOM compliant. Unfortunately, ssh logout isn't showing > >> up in my audit logs, and although I have an idea why, I can't seem to > >> find what I think I need ... The system I am building has the > >> following: > >> > >> OS = FC5 > >> audit subsystem = 1.3-2 > >> openssh = 4.3p2-4.12 > >> kernel = 2.6.20-1.2320-fc5 > >> > >> My RHEL4 systems capture ssh logout just fine , and they are at > >> earlier versions of both openssh and the audit subsystem... I found > >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the > >> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try and > >> find a later version of open ssh or at least a src.rpm to build a > >> newer version for fc5 , but I didn't have much luck. Found a 4.3p2-16 > >> src.rpm for el5, but of course, that didn't build properly on my fc5 > >> system . > >> > >> Anyone know if I'm chasing my tail? maybe something else will fix > >> this for FC5 (newer audit pkg? )? Recommendations would be most > >> appreciated. If you all think I DO need a newer openssh version, > >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? > > > > You could try to add the relevant patch from the RHEL 5 openssh src.rpm > > to the FC5 package. But is it really good idea to use such old package > > at all? There are unfixed CVEs and so on. Of course this applies to the > > rest of the FC5 distribution as well. > > -- > > Tomas Mraz > > No matter how far down the wrong road you've gone, turn back. > > Turkish proverb > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > out of curiosity would this have something > to do with the audit=1 option as a boot param? Nope. The old (or unpatched) openssh just called pam_close_session() incorrectly. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Justin P. Mattock" Subject: Re: openssh logout not being audited on fc5 Date: Wed, 5 Nov 2008 16:39:19 -0800 Message-ID: References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> <1225926005.3447.164.camel@vespa.frost.loc> <1225926600.3447.165.camel@vespa.frost.loc> Mime-Version: 1.0 (iPhone Mail 5F136) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1225926600.3447.165.camel@vespa.frost.loc> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Tomas Mraz Cc: "linux-audit@redhat.com" , "Wieprecht, Karen M." List-Id: linux-audit@redhat.com Ahh simple pam.d scenario justin P. Mattock On Nov 5, 2008, at 3:10 PM, Tomas Mraz wrote: > On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: >> On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz wrote: >>> On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: >>>> All, >>>> been google-ing all day, so sorry if this info is common knowledge, >>>> but I can't seem to find it. >>>> >>>> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor >>>> requirement (miserable task that it is), and I have to make this >>>> system be NISPOM compliant. Unfortunately, ssh logout isn't >>>> showing >>>> up in my audit logs, and although I have an idea why, I can't >>>> seem to >>>> find what I think I need ... The system I am building has the >>>> following: >>>> >>>> OS = FC5 >>>> audit subsystem = 1.3-2 >>>> openssh = 4.3p2-4.12 >>>> kernel = 2.6.20-1.2320-fc5 >>>> >>>> My RHEL4 systems capture ssh logout just fine , and they are at >>>> earlier versions of both openssh and the audit subsystem... I >>>> found >>>> a note from a colleague about needing openssh >= 4.3p2-4.13 to >>>> fix the >>>> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try >>>> and >>>> find a later version of open ssh or at least a src.rpm to build a >>>> newer version for fc5 , but I didn't have much luck. Found a >>>> 4.3p2-16 >>>> src.rpm for el5, but of course, that didn't build properly on my >>>> fc5 >>>> system . >>>> >>>> Anyone know if I'm chasing my tail? maybe something else will fix >>>> this for FC5 (newer audit pkg? )? Recommendations would be most >>>> appreciated. If you all think I DO need a newer openssh version, >>>> anyone know where I can get a src.rpm for fc5 later than >>>> 4.3p2-4.12? >>> >>> You could try to add the relevant patch from the RHEL 5 openssh >>> src.rpm >>> to the FC5 package. But is it really good idea to use such old >>> package >>> at all? There are unfixed CVEs and so on. Of course this applies >>> to the >>> rest of the FC5 distribution as well. >>> -- >>> Tomas Mraz >>> No matter how far down the wrong road you've gone, turn back. >>> Turkish proverb >>> >>> -- >>> Linux-audit mailing list >>> Linux-audit@redhat.com >>> https://www.redhat.com/mailman/listinfo/linux-audit >>> >> >> out of curiosity would this have something >> to do with the audit=1 option as a boot param? > > Nope. The old (or unpatched) openssh just called pam_close_session() > incorrectly. > > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Wieprecht, Karen M." Subject: RE: openssh logout not being audited on fc5 Date: Thu, 6 Nov 2008 15:00:00 -0500 Message-ID: <54FBB3490A6F3249BFA660814E9114EB9221410CDD@aplesstripe.dom1.jhuapl.edu> References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> <1225926005.3447.164.camel@vespa.frost.loc> <1225926600.3447.165.camel@vespa.frost.loc> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1225926600.3447.165.camel@vespa.frost.loc> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: 'Tomas Mraz' , Justin Mattock , "Lange, Stephen F." , "Dean, Randy J." , Thomas, Daniel Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com OK, I got ssh logout working. The pam_close_session patch tip was the p= iece I needed, thanks. I found some good instructions on how to patch and rebuild an rpm package= since I've never done that before (http://bradthemad.org/tech/notes/patc= hing_rpms.php). I downloaded both the latest archived openssh src.rpms f= or fc5 (4.3p2-4.12) and fc6 (4.3p2-25) and compared the .patch files and= the .spec files. I tried to rebuild the fc5 package with all of the ad= ditional .patch files that the fc6 version used, but at least one of them= was causing the compile to fail. Rather than try to figure out which on= e was causing the problem, I simplified the specs to just what I though= t I needed to get the auditing of ssh logout working. I was successful= in getting openssh 4.3p2-4.12 to compile with its standard patches plus = the pam-session patch from the 4.3p2-25 src.rpm. I then replaced the de= fault 4.3p2-4.12 packages with my patched ones, and ssh logouts are now = successfully being audited. Thanks all, you've been a big help. Karen Wieprecht -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.c= om] On Behalf Of Tomas Mraz Sent: Wednesday, November 05, 2008 6:10 PM To: Justin Mattock Cc: linux-audit@redhat.com; Wieprecht, Karen M. Subject: Re: openssh logout not being audited on fc5 On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: > On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz wrote: > > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: > >> All, > >> been google-ing all day, so sorry if this info is common knowledge, > >> but I can't seem to find it. > >> > >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor > >> requirement (miserable task that it is), and I have to make this > >> system be NISPOM compliant. Unfortunately, ssh logout isn't showin= g > >> up in my audit logs, and although I have an idea why, I can't seem > >> to find what I think I need ... The system I am building has the > >> following: > >> > >> OS =3D FC5 > >> audit subsystem =3D 1.3-2 > >> openssh =3D 4.3p2-4.12 > >> kernel =3D 2.6.20-1.2320-fc5 > >> > >> My RHEL4 systems capture ssh logout just fine , and they are at > >> earlier versions of both openssh and the audit subsystem... I foun= d > >> a note from a colleague about needing openssh >=3D 4.3p2-4.13 to fix > >> the ssh logout problem for (I think) SuSe 10.1, so I thought I'd > >> try and find a later version of open ssh or at least a src.rpm to > >> build a newer version for fc5 , but I didn't have much luck. Found > >> a 4.3p2-16 src.rpm for el5, but of course, that didn't build > >> properly on my fc5 system . > >> > >> Anyone know if I'm chasing my tail? maybe something else will fix > >> this for FC5 (newer audit pkg? )? Recommendations would be most > >> appreciated. If you all think I DO need a newer openssh version, > >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? > > > > You could try to add the relevant patch from the RHEL 5 openssh > > src.rpm to the FC5 package. But is it really good idea to use such > > old package at all? There are unfixed CVEs and so on. Of course this > > applies to the rest of the FC5 distribution as well. > > -- > > Tomas Mraz > > No matter how far down the wrong road you've gone, turn back. > > Turkish proverb > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > out of curiosity would this have something to do with the audit=3D1 > option as a boot param? Nope. The old (or unpatched) openssh just called pam_close_session() inco= rrectly. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Justin Mattock" Subject: Re: openssh logout not being audited on fc5 Date: Thu, 6 Nov 2008 23:46:13 -0800 Message-ID: References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> <1225926005.3447.164.camel@vespa.frost.loc> <1225926600.3447.165.camel@vespa.frost.loc> <54FBB3490A6F3249BFA660814E9114EB9221410CDD@aplesstripe.dom1.jhuapl.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <54FBB3490A6F3249BFA660814E9114EB9221410CDD@aplesstripe.dom1.jhuapl.edu> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Wieprecht, Karen M." Cc: "Kamau, Ndegwa" , "Hamman, Jeffrey P." , "Dean, Randy J." , "Labin, Jonathan W." , "linux-audit@redhat.com" , "Lange, Stephen F." , "Thomas, Daniel J." List-Id: linux-audit@redhat.com On Thu, Nov 6, 2008 at 12:00 PM, Wieprecht, Karen M. wrote: > OK, I got ssh logout working. The pam_close_session patch tip was the piece I needed, thanks. > > I found some good instructions on how to patch and rebuild an rpm package since I've never done that before (http://bradthemad.org/tech/notes/patching_rpms.php). I downloaded both the latest archived openssh src.rpms for fc5 (4.3p2-4.12) and fc6 (4.3p2-25) and compared the .patch files and the .spec files. I tried to rebuild the fc5 package with all of the additional .patch files that the fc6 version used, but at least one of them was causing the compile to fail. Rather than try to figure out which one was causing the problem, I simplified the specs to just what I thought I needed to get the auditing of ssh logout working. I was successful in getting openssh 4.3p2-4.12 to compile with its standard patches plus the pam-session patch from the 4.3p2-25 src.rpm. I then replaced t he default 4.3p2-4.12 packages with my patched ones, and ssh logouts are now successfully being audited. > > Thanks all, you've been a big help. > > Karen Wieprecht > > -----Original Message----- > From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Tomas Mraz > Sent: Wednesday, November 05, 2008 6:10 PM > To: Justin Mattock > Cc: linux-audit@redhat.com; Wieprecht, Karen M. > Subject: Re: openssh logout not being audited on fc5 > > On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: >> On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz wrote: >> > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: >> >> All, >> >> been google-ing all day, so sorry if this info is common knowledge, >> >> but I can't seem to find it. >> >> >> >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor >> >> requirement (miserable task that it is), and I have to make this >> >> system be NISPOM compliant. Unfortunately, ssh logout isn't showing >> >> up in my audit logs, and although I have an idea why, I can't seem >> >> to find what I think I need ... The system I am building has the >> >> following: >> >> >> >> OS = FC5 >> >> audit subsystem = 1.3-2 >> >> openssh = 4.3p2-4.12 >> >> kernel = 2.6.20-1.2320-fc5 >> >> >> >> My RHEL4 systems capture ssh logout just fine , and they are at >> >> earlier versions of both openssh and the audit subsystem... I found >> >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix >> >> the ssh logout problem for (I think) SuSe 10.1, so I thought I'd >> >> try and find a later version of open ssh or at least a src.rpm to >> >> build a newer version for fc5 , but I didn't have much luck. Found >> >> a 4.3p2-16 src.rpm for el5, but of course, that didn't build >> >> properly on my fc5 system . >> >> >> >> Anyone know if I'm chasing my tail? maybe something else will fix >> >> this for FC5 (newer audit pkg? )? Recommendations would be most >> >> appreciated. If you all think I DO need a newer openssh version, >> >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? >> > >> > You could try to add the relevant patch from the RHEL 5 openssh >> > src.rpm to the FC5 package. But is it really good idea to use such >> > old package at all? There are unfixed CVEs and so on. Of course this >> > applies to the rest of the FC5 distribution as well. >> > -- >> > Tomas Mraz >> > No matter how far down the wrong road you've gone, turn back. >> > Turkish proverb >> > >> > -- >> > Linux-audit mailing list >> > Linux-audit@redhat.com >> > https://www.redhat.com/mailman/listinfo/linux-audit >> > >> >> out of curiosity would this have something to do with the audit=1 >> option as a boot param? > > Nope. The old (or unpatched) openssh just called pam_close_session() incorrectly. > > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > What about using session required pam_selinux.so multiple (not sure which is older) but from what I remember the open and close option's just recently were being used, or at least I started to notice these options. -- Justin P. Mattock