audisp-prelude problems

Loredan Stancu loredan.stancu at myclar.ro
Thu Dec 4 13:10:21 UTC 2008 

I just installed Fedora Core 10 on VmWare machine and
auditd/audisp-prelude seams to work fine.

I recompiled sshd with support for pam on the gentoo machine and the
following event is logged when using "UsePAM yes" in sshd_config file:

node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5

This is the only event which was generated when a user is logged in using
ssh.


On fedora machine more events are generate when a user is logged in using
ssh:


node=127.0.0.1 type=USER_LOGIN msg=audit(1228402657.814:16): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="darkone":
exe="/usr/sbin/sshd" (hostname=?, addr=172.16.53.1, terminal=sshd
res=failed)'
node=127.0.0.1 type=USER_AUTH msg=audit(1228402662.417:17): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_ACCT msg=audit(1228402662.425:18): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.428:19): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=LOGIN msg=audit(1228402662.430:20): login pid=2735
uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=4
node=127.0.0.1 type=USER_START msg=audit(1228402662.430:21): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.432:22): user pid=2740
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:setcred acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_LOGIN msg=audit(1228402662.435:23): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='uid=500: exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=/dev/pts/2 res=success)'


And also on fedora machine events are generated when a user is logging in
local or using a terminal or a console. On gentoo machine no events are
generated when a user is logged in from a terminal or console.

Pam configuration on gentoo:
# cat /etc/pam.d/sshd

auth		required	pam_tally.so file=/var/log/faillog onerr=succeed
auth		required	pam_shells.so
auth		required	pam_nologin.so
auth		include		system-auth

account		required	pam_access.so
account		required	pam_nologin.so
account		include		system-auth
account		required	pam_tally.so file=/var/log/faillog onerr=succeed

password	include		system-auth

session    required     pam_loginuid.so
session    optional     pam_console.so

session		required	pam_env.so
session		optional	pam_lastlog.so
session		include		system-auth
session		optional	pam_motd.so motd=/etc/motd
session		optional	pam_mail.so



PAM configuration on Fedora machine:
# cat /etc/pam.d/sshd

auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke


# cat /etc/pam.d/system-auth
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so



What is happen on fedora is ok and I also want this happen on gentoo. Have
you any idea why not the same events are generated on gentoo like is
generated in fedora? I have to add something else to pam on gentoo? Has
Fedora something which may not have or may not be included?





> On Wednesday 03 December 2008 12:58:24 you wrote:
>> Another question: Can auditd generate events when a user is logging in
>> using ssh? That implies ssh use pam?
>
> There are 2 sets of events being sent, auth/acct/session open/close are
> from
> pam. But cron sends the same events. So, sshd itself sends another event
> USER_LOGIN that is to signify that the pam events are associated with a
> login
> and what the final result were.
>
>
>> I ask this because I want use audit in a production server and I'm not
>> allowed to manually install packages. I am allowed to only use emerge to
>> install packages. At this moment I do not have a USE flag(gentoo
>> specific)
>> corresponding to --with-linux-audit.
>
> I guess Gentoo is unpatched. Things will not work right without that last
> patch. All analysis software is predicated on seeing that event.
>
>
>> @Steve :) : Can you help me please with audisp-remote? I'll explain
>> again
>> what I want to do:
>> Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
>> M3 is a centralized machine events. On M1 and M2 runs auditd and
>> audisp-remote.
>> audisp-remote sends events to M3. I know how to configure auditd and
>> audisp-remote on M1 and M3. What I don't know is what should I do on M3
>> so
>> that it can receive events from M1 and M2 and store this events in
>> regular
>> file.
>
> You only have to set its tcp_listen_port to the same one that M1 & M2 are
> trying to connect on, update tcp_wrappers hosts.allow file to allow M1 &
> M2 to
> connect, then if you have selinux, you need to tell it what port you are
> using, and you also need to punch a hole in your firewall for that port.
>
>
>> > And you are able to load and list the 2 rules I sent above? Can you
>> find
>> > the results with ausearch --start today -k mkexe -m SYSCALL ?
>>
>> Yes, I could load that rules and this is what si loaded when a file gets
>> eecution rights:
>
> This looks fine. It should be working for you, then.
>
> -Steve
>

More information about the Linux-audit mailing list