Foreclosure.com Email Signature

From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Harris Subject: missing user authentication events. Date: Thu, 25 Mar 2010 11:17:14 -0400 Message-ID: <4BAB7E7A.1070606@activedg.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4649534155699546540==" Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.10]) by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2PFHS69023356 for ; Thu, 25 Mar 2010 11:17:28 -0400 Received: from mail1.activedatatech.net (mail1.activedatatech.net [216.154.205.166]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2PFHFWv024343 for ; Thu, 25 Mar 2010 11:17:16 -0400 Received: from localhost (localhost [127.0.0.1]) by mail1.activedatatech.net (Postfix) with ESMTP id 6BDFE16E2B2 for ; Thu, 25 Mar 2010 11:17:15 -0400 (EDT) Received: from mail1.activedatatech.net ([192.168.3.224]) by localhost (mail1.activedatatech.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13037-09 for ; Thu, 25 Mar 2010 11:17:14 -0400 (EDT) Received: from [192.168.2.133] (dfb.livedatagroup.com [64.139.144.2]) by mail1.activedatatech.net (Postfix) with ESMTP id 9081D16DD67 for ; Thu, 25 Mar 2010 11:17:14 -0400 (EDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============4649534155699546540== Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I have been creating an auditing procedure. I am working with 2 different OS's opensuse 11.x (everything is working fine.) and debian 5.0.4 (I am having problems with this.)

My setup for auditd is the same in both places. However on the debian system I get no audit events for user authentication for things like ssh and su. I do properly receive file/directory and syscall events. I am at a complete loss it almost seems like auditd doesnt even see the login at all. I looked at the kernel config but all audit related things seem to be enabled.

Any ideas?

--
Foreclosure.com Email Signature

Robert Harris
Desktop Support Technician

Foreclosure.com
2201 NW Corporate Blvd., Suite 200
Boca Raton, Florida 33431

561.988.9669 x393 Office
561.981.5339 Fax

--===============4649534155699546540== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4649534155699546540==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: missing user authentication events. Date: Thu, 25 Mar 2010 12:09:32 -0400 Message-ID: <201003251209.32751.sgrubb@redhat.com> References: <4BAB7E7A.1070606@activedg.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4BAB7E7A.1070606@activedg.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 25 March 2010 11:17:14 am Robert Harris wrote: > My setup for auditd is the same in both places. However on the debian > system I get no audit events for user authentication for things like ssh > and su. Maybe a Debian maintainer could answer how they do things...but in the mean time, the login events come from user space. On RHEL/Fedora, we have enabled auditing in the pam build. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Harris Subject: Re: missing user authentication events. Date: Thu, 25 Mar 2010 14:36:26 -0400 Message-ID: <4BABAD2A.2020309@activedg.com> References: <4BAB7E7A.1070606@activedg.com> <201003251209.32751.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.10]) by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o2PIafhA008216 for ; Thu, 25 Mar 2010 14:36:41 -0400 Received: from mail1.activedatatech.net (mail1.activedatatech.net [216.154.205.166]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2PIaSQm030584 for ; Thu, 25 Mar 2010 14:36:28 -0400 Received: from localhost (localhost [127.0.0.1]) by mail1.activedatatech.net (Postfix) with ESMTP id E4AA116E3A7 for ; Thu, 25 Mar 2010 14:36:27 -0400 (EDT) Received: from mail1.activedatatech.net ([192.168.3.224]) by localhost (mail1.activedatatech.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03660-02 for ; Thu, 25 Mar 2010 14:36:27 -0400 (EDT) Received: from [192.168.2.133] (dfb.livedatagroup.com [64.139.144.2]) by mail1.activedatatech.net (Postfix) with ESMTP id 02EA716B824 for ; Thu, 25 Mar 2010 14:36:26 -0400 (EDT) In-Reply-To: <201003251209.32751.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 03/25/2010 12:09 PM, Steve Grubb wrote: > On Thursday 25 March 2010 11:17:14 am Robert Harris wrote: > >> My setup for auditd is the same in both places. However on the debian >> system I get no audit events for user authentication for things like ssh >> and su. >> > Maybe a Debian maintainer could answer how they do things...but in the mean > time, the login events come from user space. On RHEL/Fedora, we have enabled > auditing in the pam build. > > -Steve > Would it be possible for me to check for it being enabled? it looks as though it is not. is it very hard to add the fix? or would I be better off trying to build a package from another distro that has it enabled? I believe my libpam version is 0.81.12 and I have 0.81.8 on an opensuse box that works just fine with user authentication auditing. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: missing user authentication events. Date: Thu, 25 Mar 2010 15:11:33 -0400 Message-ID: <201003251511.33968.sgrubb@redhat.com> References: <4BAB7E7A.1070606@activedg.com> <201003251209.32751.sgrubb@redhat.com> <4BABAD2A.2020309@activedg.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4BABAD2A.2020309@activedg.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 25 March 2010 02:36:26 pm Robert Harris wrote: > On 03/25/2010 12:09 PM, Steve Grubb wrote: > > Maybe a Debian maintainer could answer how they do things...but in the > > mean time, the login events come from user space. On RHEL/Fedora, we > > have enabled auditing in the pam build. > > Would it be possible for me to check for it being enabled? Something like: strings /lib64/libpam.so.0 | grep audit_open > it looks as though it is not. is it very hard to add the fix? It might just need rebuilding with the audit library & its headers present. Pam should automatically pick it up. To check this do ./configure --help and see if there is a --disable-audit. If there is a diable-audit, its patched and just needs rebuilding. If not, you need a newer pam. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: Fmy Oen Subject: Re: missing user authentication events. Date: Tue, 29 Nov 2011 12:24:32 +0000 (UTC) Message-ID: References: <4BAB7E7A.1070606@activedg.com> <201003251209.32751.sgrubb@redhat.com> <4BABAD2A.2020309@activedg.com> <201003251511.33968.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id pATFRHKs016129 for ; Tue, 29 Nov 2011 10:27:17 -0500 Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id pATFRFUH006649 for ; Tue, 29 Nov 2011 10:27:16 -0500 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1RVPaS-0007Yh-M9 for linux-audit@redhat.com; Tue, 29 Nov 2011 16:27:12 +0100 Received: from 173.22.150.178.triolan.net ([173.22.150.178.triolan.net]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 29 Nov 2011 16:27:12 +0100 Received: from fmyoen by 173.22.150.178.triolan.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 29 Nov 2011 16:27:12 +0100 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi, I have the same problem Robert Harris talking about. CentOS: > ldd /lib/libpam.so.0 linux-gate.so.1 => (0x00680000) libdl.so.2 => /lib/libdl.so.2 (0x00601000) libaudit.so.0 => /lib/libaudit.so.0 (0x0069a000) libc.so.6 => /lib/libc.so.6 (0x004a6000) /lib/ld-linux.so.2 (0x00482000) > strings /lib/libpam.so.0 | grep audit_open audit_open audit_open() failed: %m Debian: > ldd /lib/libpam.so.0 linux-gate.so.1 => (0xb7733000) libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb771c000) libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb76ea000) libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb75a3000) /lib/ld-linux.so.2 (0xb7734000) > strings /lib/libpam.so.0 | grep audit_open > I managed to recompile login package but I'm having problems with compilation of libpam0g (/lib/libpam.so.0 containing package): > sudo dpkg-buildpackage -rfakeroot -b ... /bin/bash ../../libtool --tag=CC --mode=link gcc -I../../libpam/include -I../../libpamc/include -I../../libpam_misc/include -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Wmissing-declarations -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes -Wwrite-strings -Winline -Wshadow -no-undefined -avoid-version -module -Wl,--version-script=./../modules.map -Wl,-z,defs -Wl,--as-needed -Wl,-O1 -o pam_selinux.la -rpath /lib/security pam_selinux.lo -L../../libpam -lpam -lselinux -lcrypt libtool: link: gcc -shared .libs/pam_selinux.o -Wl,-rpath -Wl,/home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs -L/home/fmyoen/tmp/1/pam-1.1.1/libpam /home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs/libpam.so -lselinux -lcrypt -Wl,--version-script=./../modules.map -Wl,-z -Wl,defs -Wl,--as-needed -Wl,-O1 -Wl,-soname -Wl,pam_selinux.so -o .libs/pam_selinux.so .libs/pam_selinux.o: In function `send_audit_message': /home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:87: undefined reference to `audit_open' /home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:112: undefined reference to `audit_log_user_message' collect2: ld returned 1 exit status make[4]: *** [pam_selinux.la] Error 1 make[4]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1/modules' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1' dh_auto_build: make -j1 returned exit code 2 make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 Any ideas what should I do? For me it looks like some packages still need to be recompiled. How can I trace it? From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: missing user authentication events. Date: Tue, 29 Nov 2011 11:17:08 -0500 Message-ID: <201111291117.08268.sgrubb@redhat.com> References: <4BAB7E7A.1070606@activedg.com> <201003251511.33968.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, November 29, 2011 07:24:32 AM Fmy Oen wrote: > Any ideas what should I do? For me it looks like some packages still need > to be recompiled. How can I trace it? looks like libaudit needs to be in your build root. -Steve