From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Justin P. Mattock" Subject: Re: openssh logout not being audited on fc5 Date: Wed, 5 Nov 2008 16:39:19 -0800 Message-ID: References: <54FBB3490A6F3249BFA660814E9114EB9221410CD4@aplesstripe.dom1.jhuapl.edu> <1225926005.3447.164.camel@vespa.frost.loc> <1225926600.3447.165.camel@vespa.frost.loc> Mime-Version: 1.0 (iPhone Mail 5F136) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1225926600.3447.165.camel@vespa.frost.loc> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Tomas Mraz Cc: "linux-audit@redhat.com" , "Wieprecht, Karen M." List-Id: linux-audit@redhat.com Ahh simple pam.d scenario justin P. Mattock On Nov 5, 2008, at 3:10 PM, Tomas Mraz wrote: > On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: >> On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz wrote: >>> On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: >>>> All, >>>> been google-ing all day, so sorry if this info is common knowledge, >>>> but I can't seem to find it. >>>> >>>> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor >>>> requirement (miserable task that it is), and I have to make this >>>> system be NISPOM compliant. Unfortunately, ssh logout isn't >>>> showing >>>> up in my audit logs, and although I have an idea why, I can't >>>> seem to >>>> find what I think I need ... The system I am building has the >>>> following: >>>> >>>> OS = FC5 >>>> audit subsystem = 1.3-2 >>>> openssh = 4.3p2-4.12 >>>> kernel = 2.6.20-1.2320-fc5 >>>> >>>> My RHEL4 systems capture ssh logout just fine , and they are at >>>> earlier versions of both openssh and the audit subsystem... I >>>> found >>>> a note from a colleague about needing openssh >= 4.3p2-4.13 to >>>> fix the >>>> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try >>>> and >>>> find a later version of open ssh or at least a src.rpm to build a >>>> newer version for fc5 , but I didn't have much luck. Found a >>>> 4.3p2-16 >>>> src.rpm for el5, but of course, that didn't build properly on my >>>> fc5 >>>> system . >>>> >>>> Anyone know if I'm chasing my tail? maybe something else will fix >>>> this for FC5 (newer audit pkg? )? Recommendations would be most >>>> appreciated. If you all think I DO need a newer openssh version, >>>> anyone know where I can get a src.rpm for fc5 later than >>>> 4.3p2-4.12? >>> >>> You could try to add the relevant patch from the RHEL 5 openssh >>> src.rpm >>> to the FC5 package. But is it really good idea to use such old >>> package >>> at all? There are unfixed CVEs and so on. Of course this applies >>> to the >>> rest of the FC5 distribution as well. >>> -- >>> Tomas Mraz >>> No matter how far down the wrong road you've gone, turn back. >>> Turkish proverb >>> >>> -- >>> Linux-audit mailing list >>> Linux-audit@redhat.com >>> https://www.redhat.com/mailman/listinfo/linux-audit >>> >> >> out of curiosity would this have something >> to do with the audit=1 option as a boot param? > > Nope. The old (or unpatched) openssh just called pam_close_session() > incorrectly. > > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb >