From: Steve Grubb <sgrubb@redhat.com>
To: Loredan Stancu <loredan.stancu@myclar.ro>
Cc: linux-audit@redhat.com
Subject: Re: audisp-prelude problems
Date: Thu, 4 Dec 2008 08:41:10 -0500 [thread overview]
Message-ID: <200812040841.10931.sgrubb@redhat.com> (raw)
In-Reply-To: <37319.193.230.245.33.1228396221.squirrel@secure.myclar.ro>
On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
> I recompiled sshd with support for pam on the gentoo machine and the
> following event is logged when using "UsePAM yes" in sshd_config file:
>
> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
This is from the kernel when pam_loginuid sets the loginuid. Its very
important for all entry point daemons to set this (login, remote, gdm, sshd,
kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit events.
I believe that recent pam versions (0.9 or higher) automatically use libaudit
if its present when compiling. You might double check what ./configure --help
shows on your distro.
> And also on fedora machine events are generated when a user is logging in
> local or using a terminal or a console. On gentoo machine no events are
> generated when a user is logged in from a terminal or console.
There is a fair amount of enabling audit all over the place. I guess this is a
disadvantage for a do it yourself distribution. There's things in pam, and
probably 10-15 packages that are audit aware.
> What is happen on fedora is ok and I also want this happen on gentoo. Have
> you any idea why not the same events are generated on gentoo like is
> generated in fedora?
I suspect that you needed libaudit built and installed early in the process of
building Gentoo if you compiled it yourself. If you didn't build it, then they
must not place a high priority on this security feature. I don't follow the
Gentoo distribution, so what I just said could be all wrong. But I think if
libaudit is missing early in the build process, lots of things won't find it
and disable audit support.
> Has Fedora something which may not have or may not be included?
We send everything upstream so that everyone can benefit. Even that patch for
sshd I referred you to was sent upstream, but they have not accepted it.
-Steve
next prev parent reply other threads:[~2008-12-04 13:41 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-04 13:10 audisp-prelude problems Loredan Stancu
2008-12-04 13:41 ` Steve Grubb [this message]
-- strict thread matches above, loose matches on Subject: below --
2008-12-04 15:38 Loredan Stancu
2008-12-04 15:56 ` Steve Grubb
2008-12-04 14:57 Loredan Stancu
2008-12-04 15:33 ` Steve Grubb
2008-12-03 17:58 Loredan Stancu
2008-12-03 20:22 ` Steve Grubb
2008-12-03 16:53 Loredan Stancu
2008-12-03 17:02 ` Steve Grubb
2008-12-03 17:17 ` LC Bruzenak
2008-12-03 17:34 ` Steve Grubb
2008-12-03 16:38 LC Bruzenak
2008-12-03 15:28 Loredan Stancu
2008-12-03 16:33 ` Steve Grubb
2008-12-03 10:23 Loredan Stancu
2008-12-03 13:46 ` Steve Grubb
2008-12-03 15:17 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200812040841.10931.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=loredan.stancu@myclar.ro \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox