Missing login records - Audit functionality in different kernel versions
Steve Grubb
sgrubb at redhat.com
Thu May 30 12:30:52 UTC 2019
Hello,
On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote:
> I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the
> audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and
> USER_LOGIN record types at all, Only USER_LOGIN types.
>
> As I understand these records should be there without any rules set.
> https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html
Yes. These are sent by pam. So, the question would be, is your copy of pam
compiled with audit support?
ldd /usr/lib64/libpam_misc.so | grep libaudit
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f06c2c39000)
> On another server with kernel version 4.9 it works properly. Is there a
> possibility that this Audit functionality is not implemented in kernel
> version 3.2, or is this just a configuration issue on my side?
This should be pam.
-Steve
> We have too many Debian 3.x production servers to consider kernel upgrade
> being an option.
>
> If it's a kernel issue, could you please recommend any workaround?
> Currently I am thinking on parsing the auth.log
>
> Many thanks,
> Robert
>
> auditd.conf:
> log_file = /var/log/audit/audit.log
> log_format = RAW
> log_group = root
> priority_boost = 4
> flush = INCREMENTAL
> freq = 20
> num_logs = 4
> disp_qos = lossy
> dispatcher = /sbin/audispd
> name_format = NONE
> ##name = mydomain
> max_log_file = 5
> max_log_file_action = ROTATE
> space_left = 75
> space_left_action = SYSLOG
> action_mail_acct = root
> admin_space_left = 50
> admin_space_left_action = SUSPEND
> disk_full_action = SUSPEND
> disk_error_action = SUSPEND
> ##tcp_listen_port =
> tcp_listen_queue = 5
> tcp_max_per_addr = 1
> ##tcp_client_ports = 1024-65535
> tcp_client_max_idle = 0
> enable_krb5 = no
> krb5_principal = auditd
> ##krb5_key_file = /etc/audit/audit.key
More information about the Linux-audit
mailing list