* missing user authentication events. @ 2010-03-25 15:17 Robert Harris 2010-03-25 16:09 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Robert Harris @ 2010-03-25 15:17 UTC (permalink / raw) To: linux-audit [-- Attachment #1: Type: text/html, Size: 2131 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing user authentication events. 2010-03-25 15:17 missing user authentication events Robert Harris @ 2010-03-25 16:09 ` Steve Grubb 2010-03-25 18:36 ` Robert Harris 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2010-03-25 16:09 UTC (permalink / raw) To: linux-audit On Thursday 25 March 2010 11:17:14 am Robert Harris wrote: > My setup for auditd is the same in both places. However on the debian > system I get no audit events for user authentication for things like ssh > and su. Maybe a Debian maintainer could answer how they do things...but in the mean time, the login events come from user space. On RHEL/Fedora, we have enabled auditing in the pam build. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing user authentication events. 2010-03-25 16:09 ` Steve Grubb @ 2010-03-25 18:36 ` Robert Harris 2010-03-25 19:11 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Robert Harris @ 2010-03-25 18:36 UTC (permalink / raw) To: linux-audit On 03/25/2010 12:09 PM, Steve Grubb wrote: > On Thursday 25 March 2010 11:17:14 am Robert Harris wrote: > >> My setup for auditd is the same in both places. However on the debian >> system I get no audit events for user authentication for things like ssh >> and su. >> > Maybe a Debian maintainer could answer how they do things...but in the mean > time, the login events come from user space. On RHEL/Fedora, we have enabled > auditing in the pam build. > > -Steve > Would it be possible for me to check for it being enabled? it looks as though it is not. is it very hard to add the fix? or would I be better off trying to build a package from another distro that has it enabled? I believe my libpam version is 0.81.12 and I have 0.81.8 on an opensuse box that works just fine with user authentication auditing. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing user authentication events. 2010-03-25 18:36 ` Robert Harris @ 2010-03-25 19:11 ` Steve Grubb 2011-11-29 12:24 ` Fmy Oen 0 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2010-03-25 19:11 UTC (permalink / raw) To: linux-audit On Thursday 25 March 2010 02:36:26 pm Robert Harris wrote: > On 03/25/2010 12:09 PM, Steve Grubb wrote: > > Maybe a Debian maintainer could answer how they do things...but in the > > mean time, the login events come from user space. On RHEL/Fedora, we > > have enabled auditing in the pam build. > > Would it be possible for me to check for it being enabled? Something like: strings /lib64/libpam.so.0 | grep audit_open > it looks as though it is not. is it very hard to add the fix? It might just need rebuilding with the audit library & its headers present. Pam should automatically pick it up. To check this do ./configure --help and see if there is a --disable-audit. If there is a diable-audit, its patched and just needs rebuilding. If not, you need a newer pam. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing user authentication events. 2010-03-25 19:11 ` Steve Grubb @ 2011-11-29 12:24 ` Fmy Oen 2011-11-29 16:17 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Fmy Oen @ 2011-11-29 12:24 UTC (permalink / raw) To: linux-audit Hi, I have the same problem Robert Harris talking about. CentOS: > ldd /lib/libpam.so.0 linux-gate.so.1 => (0x00680000) libdl.so.2 => /lib/libdl.so.2 (0x00601000) libaudit.so.0 => /lib/libaudit.so.0 (0x0069a000) libc.so.6 => /lib/libc.so.6 (0x004a6000) /lib/ld-linux.so.2 (0x00482000) > strings /lib/libpam.so.0 | grep audit_open audit_open audit_open() failed: %m Debian: > ldd /lib/libpam.so.0 linux-gate.so.1 => (0xb7733000) libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb771c000) libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb76ea000) libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb75a3000) /lib/ld-linux.so.2 (0xb7734000) > strings /lib/libpam.so.0 | grep audit_open > I managed to recompile login package but I'm having problems with compilation of libpam0g (/lib/libpam.so.0 containing package): > sudo dpkg-buildpackage -rfakeroot -b ... /bin/bash ../../libtool --tag=CC --mode=link gcc -I../../libpam/include -I../../libpamc/include -I../../libpam_misc/include -g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Wmissing-declarations -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes -Wwrite-strings -Winline -Wshadow -no-undefined -avoid-version -module -Wl,--version-script=./../modules.map -Wl,-z,defs -Wl,--as-needed -Wl,-O1 -o pam_selinux.la -rpath /lib/security pam_selinux.lo -L../../libpam -lpam -lselinux -lcrypt libtool: link: gcc -shared .libs/pam_selinux.o -Wl,-rpath -Wl,/home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs -L/home/fmyoen/tmp/1/pam-1.1.1/libpam /home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs/libpam.so -lselinux -lcrypt -Wl,--version-script=./../modules.map -Wl,-z -Wl,defs -Wl,--as-needed -Wl,-O1 -Wl,-soname -Wl,pam_selinux.so -o .libs/pam_selinux.so .libs/pam_selinux.o: In function `send_audit_message': /home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:87: undefined reference to `audit_open' /home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:112: undefined reference to `audit_log_user_message' collect2: ld returned 1 exit status make[4]: *** [pam_selinux.la] Error 1 make[4]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1/modules' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1' dh_auto_build: make -j1 returned exit code 2 make: *** [build] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 Any ideas what should I do? For me it looks like some packages still need to be recompiled. How can I trace it? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: missing user authentication events. 2011-11-29 12:24 ` Fmy Oen @ 2011-11-29 16:17 ` Steve Grubb 0 siblings, 0 replies; 6+ messages in thread From: Steve Grubb @ 2011-11-29 16:17 UTC (permalink / raw) To: linux-audit On Tuesday, November 29, 2011 07:24:32 AM Fmy Oen wrote: > Any ideas what should I do? For me it looks like some packages still need > to be recompiled. How can I trace it? looks like libaudit needs to be in your build root. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-11-29 16:17 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-03-25 15:17 missing user authentication events Robert Harris 2010-03-25 16:09 ` Steve Grubb 2010-03-25 18:36 ` Robert Harris 2010-03-25 19:11 ` Steve Grubb 2011-11-29 12:24 ` Fmy Oen 2011-11-29 16:17 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox