audisp-prelude problems
Steve Grubb
sgrubb at redhat.com
Thu Dec 4 13:41:10 UTC 2008
On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
> I recompiled sshd with support for pam on the gentoo machine and the
> following event is logged when using "UsePAM yes" in sshd_config file:
>
> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
This is from the kernel when pam_loginuid sets the loginuid. Its very
important for all entry point daemons to set this (login, remote, gdm, sshd,
kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit events.
I believe that recent pam versions (0.9 or higher) automatically use libaudit
if its present when compiling. You might double check what ./configure --help
shows on your distro.
> And also on fedora machine events are generated when a user is logging in
> local or using a terminal or a console. On gentoo machine no events are
> generated when a user is logged in from a terminal or console.
There is a fair amount of enabling audit all over the place. I guess this is a
disadvantage for a do it yourself distribution. There's things in pam, and
probably 10-15 packages that are audit aware.
> What is happen on fedora is ok and I also want this happen on gentoo. Have
> you any idea why not the same events are generated on gentoo like is
> generated in fedora?
I suspect that you needed libaudit built and installed early in the process of
building Gentoo if you compiled it yourself. If you didn't build it, then they
must not place a high priority on this security feature. I don't follow the
Gentoo distribution, so what I just said could be all wrong. But I think if
libaudit is missing early in the build process, lots of things won't find it
and disable audit support.
> Has Fedora something which may not have or may not be included?
We send everything upstream so that everyone can benefit. Even that patch for
sshd I referred you to was sent upstream, but they have not accepted it.
-Steve
More information about the Linux-audit
mailing list