audisp-prelude problems

Loredan Stancu loredan.stancu at myclar.ro
Thu Dec 4 14:57:54 UTC 2008 

Thanks a lot Steve, now it works. It was because pam was not compiled with
audit support. Now events are generated when a user is logged from a
console, terminal or when using ssh.

Now I'll have to user  audisp-remote plugin to centralize events.


> On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
>> I recompiled sshd with support for pam on the gentoo machine and the
>> following event is logged when using "UsePAM yes" in sshd_config file:
>>
>> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
>> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
>
> This is from the kernel when pam_loginuid sets the loginuid. Its very
> important for all entry point daemons to set this (login, remote, gdm,
> sshd,
> kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit
> events.
> I believe that recent pam versions (0.9 or higher) automatically use
> libaudit
> if its present when compiling. You might double check what ./configure
> --help
> shows on your distro.
>
>
>> And also on fedora machine events are generated when a user is logging
>> in
>> local or using a terminal or a console. On gentoo machine no events are
>> generated when a user is logged in from a terminal or console.
>
> There is a fair amount of enabling audit all over the place. I guess this
> is a
> disadvantage for a do it yourself distribution. There's things in pam, and
> probably 10-15 packages that are audit aware.
>
>
>> What is happen on fedora is ok and I also want this happen on gentoo.
>> Have
>> you any idea why not the same events are generated on gentoo like is
>> generated in fedora?
>
> I suspect that you needed libaudit built and installed early in the
> process of
> building Gentoo if you compiled it yourself. If you didn't build it, then
> they
> must not place a high priority on this security feature. I don't follow
> the
> Gentoo distribution, so what I just said could be all wrong. But I think
> if
> libaudit is missing early in the build process, lots of things won't find
> it
> and disable audit support.
>
>
>> Has Fedora something which may not have or may not be included?
>
> We send everything upstream so that everyone can benefit. Even that patch
> for
> sshd I referred you to was sent upstream, but they have not accepted it.
>
> -Steve
>

More information about the Linux-audit mailing list