From mboxrd@z Thu Jan  1 00:00:00 1970
From: Robert Harris <rharris@activedg.com>
Subject: Re: missing user authentication events.
Date: Thu, 25 Mar 2010 14:36:26 -0400
Message-ID: <4BABAD2A.2020309@activedg.com>
References: <4BAB7E7A.1070606@activedg.com>
	<201003251209.32751.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.10])
	by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o2PIafhA008216
	for <linux-audit@redhat.com>; Thu, 25 Mar 2010 14:36:41 -0400
Received: from mail1.activedatatech.net (mail1.activedatatech.net
	[216.154.205.166])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2PIaSQm030584
	for <linux-audit@redhat.com>; Thu, 25 Mar 2010 14:36:28 -0400
Received: from localhost (localhost [127.0.0.1])
	by mail1.activedatatech.net (Postfix) with ESMTP id E4AA116E3A7
	for <linux-audit@redhat.com>; Thu, 25 Mar 2010 14:36:27 -0400 (EDT)
Received: from mail1.activedatatech.net ([192.168.3.224])
	by localhost (mail1.activedatatech.net [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id 03660-02 for <linux-audit@redhat.com>;
	Thu, 25 Mar 2010 14:36:27 -0400 (EDT)
Received: from [192.168.2.133] (dfb.livedatagroup.com [64.139.144.2])
	by mail1.activedatatech.net (Postfix) with ESMTP id 02EA716B824
	for <linux-audit@redhat.com>; Thu, 25 Mar 2010 14:36:26 -0400 (EDT)
In-Reply-To: <201003251209.32751.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On 03/25/2010 12:09 PM, Steve Grubb wrote:
> On Thursday 25 March 2010 11:17:14 am Robert Harris wrote:
>   
>> My setup for auditd is the same in both places. However on the debian
>> system I get no audit events for user authentication for things like ssh
>> and su.
>>     
> Maybe a Debian maintainer could answer how they do things...but in the mean 
> time, the login events come from user space. On RHEL/Fedora, we have enabled 
> auditing in the pam build.
>
> -Steve
>   
Would it be possible for me to check for it being enabled? it looks as
though it is not. is it very hard to add the fix? or would I be better
off trying to build a package from another distro that has it enabled? 
I believe my libpam version is 0.81.12 and I have 0.81.8 on an opensuse
box that works just fine with user authentication auditing.