audisp-prelude problems

[Steve Grubb]

On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
> I recompiled sshd with support for pam on the gentoo machine and the
> following event is logged when using "UsePAM yes" in sshd_config file:
>
> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5

This is from the kernel when pam_loginuid sets the loginuid. Its very 
important for all entry point daemons to set this (login, remote, gdm, sshd, 
kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit events. 
I believe that recent pam versions (0.9 or higher) automatically use libaudit 
if its present when compiling. You might double check what ./configure --help 
shows on your distro.


> And also on fedora machine events are generated when a user is logging in
> local or using a terminal or a console. On gentoo machine no events are
> generated when a user is logged in from a terminal or console.

There is a fair amount of enabling audit all over the place. I guess this is a 
disadvantage for a do it yourself distribution. There's things in pam, and 
probably 10-15 packages that are audit aware.


> What is happen on fedora is ok and I also want this happen on gentoo. Have
> you any idea why not the same events are generated on gentoo like is
> generated in fedora? 

I suspect that you needed libaudit built and installed early in the process of 
building Gentoo if you compiled it yourself. If you didn't build it, then they 
must not place a high priority on this security feature. I don't follow the 
Gentoo distribution, so what I just said could be all wrong. But I think if 
libaudit is missing early in the build process, lots of things won't find it 
and disable audit support.


> Has Fedora something which may not have or may not be included?

We send everything upstream so that everyone can benefit. Even that patch for 
sshd I referred you to was sent upstream, but they have not accepted it.

-Steve