From: Steve Grubb <sgrubb@redhat.com>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit Prelude Logout Tracking
Date: Thu, 19 Feb 2009 13:39:22 -0500 [thread overview]
Message-ID: <200902191339.23110.sgrubb@redhat.com> (raw)
In-Reply-To: <1235057098.11692.163.camel@homeserver>
On Thursday 19 February 2009 10:24:58 am LC Bruzenak wrote:
> On Thu, 2009-02-19 at 09:36 -0500, Steve Grubb wrote:
> > On Thursday 19 February 2009 09:26:28 am Dan Gruhn wrote:
> > > Although this seemed like the right place to look, I don't see
> > > USER_LOGOUT events in my audit logs,
> >
> > They are not used. I decided later that it was not needed for analysis.
> > When you login, there is always a session open event (user_start). This
> > is associated with a user_login event. So, when you see the session
> > closed event (user_end), the logout has occurred.
>
> So for IDS events we have only console logins, not logouts, and no ssh
> events?
yes, we have login events for IDS, because you could have failed logins or
logins under an account you thought was deactivated. The logout doesn't have
any security checks or permissions that have to be granted. I think the time
accounting aspect is best left to other utilities designed for that.
> > However...what if gdm dies? What if the kernel oopses? You have no ending
> > marker. So, what I did recently was patch upstart so that it logs system
> > boot & shutdown events. This way you can tell when the system
> > malfunctioned. The logic for the analysis is in the aulast program, which
> > is in 1.7.11. However, you don't have a patched upstart daemon for RHEL5
> > since it uses the older SysVinit package.
>
> If gdm dies I thought it would throw an anomaly event.
Nope. X programs catch SIGSEGV and don't actually dump core. So, we don't get
any notification. But still, would you associate the anomaly event with the
logging out of a user?
> Don't the kernel oopses do the same thing?
Nope. When the kernel oopses, everything halts.
> Since the audit-viewer is not network-capable, we need more info in
> the prelude listings.
The audit viewer should work against aggregate logs.
> As I've said before, if logouts are not IDS events why are logins?
Because it requires the act of granting permission. Someone could be logging
in from a forbidden host, or a locked acct, or trying to guess the password.
If they get in, you have problems.
> Dan, as Steve says, aulast provides the analysis.
> However, either I read it wrong or it ignores root:
That was fixed in https://fedorahosted.org/audit/changeset/241 a couple weeks
ago.
-Steve
next prev parent reply other threads:[~2009-02-19 18:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-18 21:58 Audit Prelude Logout Tracking Dan Gruhn
2009-02-18 22:44 ` LC Bruzenak
2009-02-18 23:25 ` LC Bruzenak
2009-02-19 14:26 ` Dan Gruhn
2009-02-19 14:36 ` Steve Grubb
2009-02-19 15:24 ` LC Bruzenak
2009-02-19 18:39 ` Steve Grubb [this message]
2009-02-19 19:49 ` LC Bruzenak
2009-02-19 14:45 ` LC Bruzenak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200902191339.23110.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox