Audit Prelude Logout Tracking
LC Bruzenak
lenny at magitekltd.com
Wed Feb 18 22:44:06 UTC 2009
On Wed, 2009-02-18 at 16:58 -0500, Dan Gruhn wrote:
> I''m working on an X86_64 RHEL 5.2 system and for NISPOM Chapt. 8 I'm
> looking to modify the audisp-prelude plugin so that I can get logout
> events displayed.
>
> I see the information in the audit.log as USER_END and have done a small
> mod in the handle_event routine in audisp-prelude.c so that it looks for
> AUDIT_USER_END but I've run across the following things:
>
> 1) sshd goes through a login/logout cycle ending in USER_END and all is
> good.
> node=node01 type=USER_END msg=audit(1234979707.894:203): user pid=7422
> uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
> msg='PAM: session close acct="root" : exe="/usr/sbin/sshd"
> (hostname=master, addr=10.1.4.100, terminal=ssh res=success)'
>
>
>
> 2) gdm-binary goes through the same login/logout cycle, but on the
> USER_END audit message it is missing some information, in particular the
> source hostname:
> node=master type=USER_END msg=audit(1234988646.589:364): user pid=6868
> uid=0 auid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM:
> session close acct="root" : exe="/usr/sbin/gdm-binary" (hostname=?,
> addr=?, terminal=:0 res=success)'
>
> 3) When crond runs, it goes through a similar cycle (but without the
> USER_LOGIN step) ending with USER_END
> node=master type=USER_END msg=audit(1234989001.710:371): user pid=9517
> uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
> session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
> terminal=cron res=success)'
>
> I want to ignore the crond operations and be able to fill in the
> information from gdm-binary. Has any one done this prelude logout
> tracking before or have any ideas how I can proceed.
>
> As always, a pointer to more information is quite acceptable.
>
> Dan
>
Dan,
As I myself eventually learned, the hostname/addr info is only for
remote access information. The gdm process doesn't get that filled in,
nor does crond.
As for the logouts being sent to prelude, I preferred that as well but
no one (except me) felt that a logout was security-worthy in the context
of IDS events IIRC. I wanted them somewhat for the same reason - because
then it told a complete story. Also I believe there is a need due to
screenlocks - if someone else can login while your screen is locked then
there isn't a trace back to when they logged out. I haven't looked at
that for a while though; not sure it it is still possible.
I myself patch the audisp-prelude.c code so I can catch some application
events there and send to prelude as well.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list