openssh logout not being audited on fc5
Justin P. Mattock
justinmattock at gmail.com
Thu Nov 6 00:39:19 UTC 2008
Ahh simple pam.d scenario
justin P. Mattock
On Nov 5, 2008, at 3:10 PM, Tomas Mraz <tmraz at redhat.com> wrote:
> On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote:
>> On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <tmraz at redhat.com> wrote:
>>> On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote:
>>>> All,
>>>> been google-ing all day, so sorry if this info is common knowledge,
>>>> but I can't seem to find it.
>>>>
>>>> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor
>>>> requirement (miserable task that it is), and I have to make this
>>>> system be NISPOM compliant. Unfortunately, ssh logout isn't
>>>> showing
>>>> up in my audit logs, and although I have an idea why, I can't
>>>> seem to
>>>> find what I think I need ... The system I am building has the
>>>> following:
>>>>
>>>> OS = FC5
>>>> audit subsystem = 1.3-2
>>>> openssh = 4.3p2-4.12
>>>> kernel = 2.6.20-1.2320-fc5
>>>>
>>>> My RHEL4 systems capture ssh logout just fine , and they are at
>>>> earlier versions of both openssh and the audit subsystem... I
>>>> found
>>>> a note from a colleague about needing openssh >= 4.3p2-4.13 to
>>>> fix the
>>>> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try
>>>> and
>>>> find a later version of open ssh or at least a src.rpm to build a
>>>> newer version for fc5 , but I didn't have much luck. Found a
>>>> 4.3p2-16
>>>> src.rpm for el5, but of course, that didn't build properly on my
>>>> fc5
>>>> system .
>>>>
>>>> Anyone know if I'm chasing my tail? maybe something else will fix
>>>> this for FC5 (newer audit pkg? )? Recommendations would be most
>>>> appreciated. If you all think I DO need a newer openssh version,
>>>> anyone know where I can get a src.rpm for fc5 later than
>>>> 4.3p2-4.12?
>>>
>>> You could try to add the relevant patch from the RHEL 5 openssh
>>> src.rpm
>>> to the FC5 package. But is it really good idea to use such old
>>> package
>>> at all? There are unfixed CVEs and so on. Of course this applies
>>> to the
>>> rest of the FC5 distribution as well.
>>> --
>>> Tomas Mraz
>>> No matter how far down the wrong road you've gone, turn back.
>>> Turkish proverb
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit at redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>>
>>
>> out of curiosity would this have something
>> to do with the audit=1 option as a boot param?
>
> Nope. The old (or unpatched) openssh just called pam_close_session()
> incorrectly.
>
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
> Turkish proverb
>
More information about the Linux-audit
mailing list