Re: openssh logout not being audited on fc5

From: "Justin P. Mattock" <justinmattock@gmail.com>
To: Tomas Mraz <tmraz@redhat.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>,
	"Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Subject: Re: openssh logout not being audited on fc5
Date: Wed, 5 Nov 2008 16:39:19 -0800	[thread overview]
Message-ID: <C0014AD7-4CAB-444E-A2E0-C4E66894D2CC@gmail.com> (raw)
In-Reply-To: <1225926600.3447.165.camel@vespa.frost.loc>

Ahh simple pam.d scenario

justin P. Mattock

On Nov 5, 2008, at 3:10 PM, Tomas Mraz <tmraz@redhat.com> wrote:

> On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote:
>> On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <tmraz@redhat.com> wrote:
>>> On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote:
>>>> All,
>>>> been google-ing all day, so sorry if this info is common knowledge,
>>>> but I can't seem to find it.
>>>>
>>>> Trying to build FC5 (2.6.20-1.2320-fc5)  system to meet a sponsor
>>>> requirement (miserable task that it is), and I have to make this
>>>> system be NISPOM compliant.   Unfortunately, ssh logout isn't  
>>>> showing
>>>> up in my audit logs, and although I have an idea why, I can't  
>>>> seem to
>>>> find what I think I need ...  The system I am building has the
>>>> following:
>>>>
>>>> OS                    = FC5
>>>> audit subsystem = 1.3-2
>>>> openssh             = 4.3p2-4.12
>>>> kernel                 = 2.6.20-1.2320-fc5
>>>>
>>>> My RHEL4 systems capture ssh logout just fine , and  they are at
>>>> earlier versions of both openssh and the audit subsystem...   I  
>>>> found
>>>> a note from a colleague about needing openssh >= 4.3p2-4.13 to  
>>>> fix the
>>>> ssh logout  problem for (I think) SuSe 10.1, so I thought I'd try  
>>>> and
>>>> find a later version of open ssh or at least a src.rpm to build a
>>>> newer version for fc5 ,  but I didn't have much luck. Found a  
>>>> 4.3p2-16
>>>> src.rpm for el5, but of course, that didn't build properly on my  
>>>> fc5
>>>> system .
>>>>
>>>> Anyone know if I'm chasing my tail?  maybe something else will fix
>>>> this for FC5 (newer audit pkg? )? Recommendations would be most
>>>> appreciated.   If you all think I DO need a newer openssh version,
>>>> anyone know where I can get a src.rpm for fc5 later than  
>>>> 4.3p2-4.12?
>>>
>>> You could try to add the relevant patch from the RHEL 5 openssh  
>>> src.rpm
>>> to the FC5 package. But is it really good idea to use such old  
>>> package
>>> at all? There are unfixed CVEs and so on. Of course this applies  
>>> to the
>>> rest of the FC5 distribution as well.
>>> --
>>> Tomas Mraz
>>> No matter how far down the wrong road you've gone, turn back.
>>>                                             Turkish proverb
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit@redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>>
>>
>> out of curiosity would this have something
>> to do with the audit=1 option as a boot param?
>
> Nope. The old (or unpatched) openssh just called pam_close_session()
> incorrectly.
>
> -- 
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
>                                              Turkish proverb
>