missing user authentication events.

missing user authentication events.

[Robert Harris]

[-- Attachment #1: Type: text/html, Size: 2131 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: missing user authentication events.

[Steve Grubb]

On Thursday 25 March 2010 11:17:14 am Robert Harris wrote:
> My setup for auditd is the same in both places. However on the debian
> system I get no audit events for user authentication for things like ssh
> and su.

Maybe a Debian maintainer could answer how they do things...but in the mean 
time, the login events come from user space. On RHEL/Fedora, we have enabled 
auditing in the pam build.

-Steve

Re: missing user authentication events.

[Robert Harris]

On 03/25/2010 12:09 PM, Steve Grubb wrote:
> On Thursday 25 March 2010 11:17:14 am Robert Harris wrote:
>   
>> My setup for auditd is the same in both places. However on the debian
>> system I get no audit events for user authentication for things like ssh
>> and su.
>>     
> Maybe a Debian maintainer could answer how they do things...but in the mean 
> time, the login events come from user space. On RHEL/Fedora, we have enabled 
> auditing in the pam build.
>
> -Steve
>   
Would it be possible for me to check for it being enabled? it looks as
though it is not. is it very hard to add the fix? or would I be better
off trying to build a package from another distro that has it enabled? 
I believe my libpam version is 0.81.12 and I have 0.81.8 on an opensuse
box that works just fine with user authentication auditing.

Re: missing user authentication events.

[Steve Grubb]

On Thursday 25 March 2010 02:36:26 pm Robert Harris wrote:
> On 03/25/2010 12:09 PM, Steve Grubb wrote:
> > Maybe a Debian maintainer could answer how they do things...but in the
> > mean time, the login events come from user space. On RHEL/Fedora, we
> > have enabled auditing in the pam build.
> 
> Would it be possible for me to check for it being enabled? 

Something like:
strings /lib64/libpam.so.0 | grep audit_open


> it looks as though it is not. is it very hard to add the fix?

It might just need rebuilding with the audit library & its headers present. 
Pam should automatically pick it up. To check this do ./configure --help and 
see if there is a --disable-audit. If there is a diable-audit, its patched and 
just needs rebuilding. If not, you need a newer pam.

-Steve

Re: missing user authentication events.

[Fmy Oen]

Hi, I have the same problem Robert Harris talking about.

CentOS:

> ldd /lib/libpam.so.0
        linux-gate.so.1 =>  (0x00680000)
        libdl.so.2 => /lib/libdl.so.2 (0x00601000)
        libaudit.so.0 => /lib/libaudit.so.0 (0x0069a000)
        libc.so.6 => /lib/libc.so.6 (0x004a6000)
        /lib/ld-linux.so.2 (0x00482000)
> strings /lib/libpam.so.0 | grep audit_open
audit_open
audit_open() failed: %m

Debian:

> ldd /lib/libpam.so.0
        linux-gate.so.1 =>  (0xb7733000)
        libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb771c000)
        libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb76ea000)
        libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb75a3000)
        /lib/ld-linux.so.2 (0xb7734000)
> strings /lib/libpam.so.0 | grep audit_open
>

I managed to recompile login package but I'm having problems with compilation of
libpam0g (/lib/libpam.so.0 containing package):

> sudo dpkg-buildpackage -rfakeroot -b
    ...
    /bin/bash ../../libtool --tag=CC   --mode=link gcc -I../../libpam/include
-I../../libpamc/include -I../../libpam_misc/include -g -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -O2 -W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual
-Wmissing-declarations -Wmissing-prototypes -Wpointer-arith -Wreturn-type
-Wstrict-prototypes -Wwrite-strings -Winline -Wshadow -no-undefined
-avoid-version -module -Wl,--version-script=./../modules.map -Wl,-z,defs
-Wl,--as-needed -Wl,-O1 -o pam_selinux.la -rpath /lib/security pam_selinux.lo
-L../../libpam -lpam -lselinux -lcrypt
    libtool: link: gcc -shared  .libs/pam_selinux.o   -Wl,-rpath
-Wl,/home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs
-L/home/fmyoen/tmp/1/pam-1.1.1/libpam
/home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs/libpam.so -lselinux -lcrypt 
-Wl,--version-script=./../modules.map -Wl,-z -Wl,defs -Wl,--as-needed -Wl,-O1  
-Wl,-soname -Wl,pam_selinux.so -o .libs/pam_selinux.so
    .libs/pam_selinux.o: In function `send_audit_message':
    /home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:87: undefined
reference to `audit_open'
    /home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:112:
undefined reference to `audit_log_user_message'
    collect2: ld returned 1 exit status
    make[4]: *** [pam_selinux.la] Error 1
    make[4]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux'
    make[3]: *** [all-recursive] Error 1
    make[3]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1/modules'
    make[2]: *** [all-recursive] Error 1
    make[2]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1'
    make[1]: *** [all] Error 2
    make[1]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1'
    dh_auto_build: make -j1 returned exit code 2
    make: *** [build] Error 2
    dpkg-buildpackage: error: debian/rules build gave error exit status 2

Any ideas what should I do? For me it looks like some packages still need to be
recompiled. How can I trace it?

Re: missing user authentication events.

[Steve Grubb]

On Tuesday, November 29, 2011 07:24:32 AM Fmy Oen wrote:
> Any ideas what should I do? For me it looks like some packages still need
> to be recompiled. How can I trace it?

looks like libaudit needs to be in your build root.

-Steve