ssh in SLES10 SP1 RC2

Michael Folsom mwfolsom at gmail.com
Thu May 31 03:01:37 UTC 2007 

Tony:

Here's the guts of the first message in the original thread and the
replies I got ........

Essentially what I'm not seeing in the audit.log file is the USER_END
statement after a ssh session is terminated.  For my purposes the end
of any session (ssh, console, gui) needs to be recorded.

=============================================
Steve:

Thanks for the quick response -

Did a little test on a X86-64 SLES10 SP1 RC2 system - sshed into in
and did see the USER_LOGIN line then got out via either an exit or
logout and never see an USER_END statement.  Here's the relevant lines
from /var/log/audit/audit.log:

type=USER_AUTH msg=audit(1180108586.633:1292): user pid=31247 uid=0
auid=4294967295 msg='PAM: authentication acct=mwfolsom :
exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X, terminal=ssh
res=success)'
type=USER_ACCT msg=audit(1180108586.633:1293): user pid=31247 uid=0
auid=4294967295 msg='PAM: accounting acct=mwfolsom :
exe="/usr/sbin/sshd" (hostname=X.X.X, addr=X.X.X.X,, terminal=ssh
res=success)'
type=LOGIN msg=audit(1180108586.637:1294): login pid=31248 uid=0 old
auid=4294967295 new auid=6122
type=USER_START msg=audit(1180108586.637:1295): user pid=31248 uid=0
auid=6122 msg='PAM: session open acct=mwfolsom : exe="/usr/sbin/sshd"
(hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)'
type=CRED_REFR msg=audit(1180108586.637:1296): user pid=31248 uid=0
auid=6122 msg='PAM: setcred acct=mwfolsom : exe="/usr/sbin/sshd"
(hostname=X.X.X, addr=X.X.X.X, terminal=ssh res=success)'
type=USER_LOGIN msg=audit(1180108586.641:1297): user pid=31245 uid=0
auid=4294967295 msg='uid=6122: exe="/usr/sbin/sshd" (hostname=X.X.X,
addr=X.X.X.X, terminal=/dev/pts/1 res=success)

>From playing with logging in and our via different means - the gdm
gui, the console, and ssh and then using grep on the log file it
appears that the other two routes record both login's and logout's but
ssh only records logins.

------

On Friday 25 May 2007 13:21, Michael Folsom wrote:
> Did a little test on a X86-64 SLES10 SP1 RC2 system - sshed into in
> and did see the USER_LOGIN line then got out via either an exit or
> logout and never see an USER_END statement.

If I remember correctly, there was a bug in a patch to sshd that called
pam_session_close from the unprivileged process. I think we moved this and
sent the patch upstream.

> Could this be an issue in Suse's implementation of audit?

There might be a sshd patch that needs backporting from openssh cvs.

-Steve
-------

      Yep,  based on some earlier emails I saved,  I think Steve said that
    ssh needs to be at version 4.3p2-13 or later  to  generate logout
    (USER_END) audit records correctly.

    Karen Wieprecht

========================================

The x86-64 test system is running SLES10 SP1 rc2

I set the system up for auditing based on a "SLE10 Auditing
Quickstart" guide I got from someone at Novell.

This is how I set the system up:
------------------------------------------------------
Configure Audit
   1. Be sure you are logged in as root
   2. rcauditd stop
   3. rm /var/log/audit/audit.log NOTE: I like to clear the audit.log
show and start with a fresh log file for testing.
   4. Edit /etc/sysconfig/auditd
      1. Change AUDITD_DISABLE_CONTEXTS to no NOTE: This enables
syscall auditing
   5. Edit /etc/auditd.conf
      1. Change flush from INCREMENTAL to SYNC NOTE: This is for
testing purposes only,   INCREMENTAL would be a better option in
production auditing
   6. Edit /etc/audit/rules
      1. Add the following line to the bottom of the file:
           -w /etc/audit.rules -k fk_auditrules
           NOTE: This rule will audit the /etc/audit.rules file.
   7. Edit /etc/pam.d/{login,gdm,xdm,sshd,crond,atd} NOTE: Adds UID
info to audit entries for watched files
      1. Add the following line:
           session required     pam_loginuid.so
           before the line "session include       common-session"
   8. rcauditd start

Advice will be appreciated -


Thanks!


Michael




On 5/30/07, Tony Jones <tonyj at suse.de> wrote:
> On Tue, May 29, 2007 at 04:03:50PM -0600, Michael Folsom wrote:
> > Checked and SLES10/SLED10 SP1 rc2 and rc3 are both running openssh 4.2p1-18.
> >
> > Looks like monitoring logouts won't happen in Suse Enterprise land
> > till SSH get reved to a newer version!
>
> We added patches to generate the appropriate USER_LOGIN messages for SP1 into
> gdm, login and openssh.  The other messages were handled via PAM.  I'm not sure
> what the exact issue is as I missed the startt if the thread.  As an aside it's
> not a matter of necessarily reving to a newer version, rather of backporting
> the necessary changes (unless they are no invasive that it requires moving
> forward to a new revision).  We try to avoid upgrading package versions once
> we begin the release process, rather we cherrypick.
>
> We would have taken a bug report during the beta process and would have rolled
> the fix into the older version but it's too late now.   Still, I'd recommend
> you file a bug in Novell bugzilla.
>
> Tony
>

More information about the Linux-audit mailing list