On Wednesday 03 December 2008 12:58:24 you wrote:
Another question: Can auditd generate events when a user is logging
in
using ssh? That implies ssh use pam?
There are 2 sets of events being sent, auth/acct/session open/close are from
pam. But cron sends the same events. So, sshd itself sends another event
USER_LOGIN that is to signify that the pam events are associated with a login
and what the final result were.
I ask this because I want use audit in a production server and
I'm not
allowed to manually install packages. I am allowed to only use emerge to
install packages. At this moment I do not have a USE flag(gentoo specific)
corresponding to --with-linux-audit.
I guess Gentoo is unpatched. Things will not work right without that last
patch. All analysis software is predicated on seeing that event.
@Steve :) : Can you help me please with audisp-remote? I'll
explain again
what I want to do:
Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
M3 is a centralized machine events. On M1 and M2 runs auditd and
audisp-remote.
audisp-remote sends events to M3. I know how to configure auditd and
audisp-remote on M1 and M3. What I don't know is what should I do on M3 so
that it can receive events from M1 and M2 and store this events in regular
file.
You only have to set its tcp_listen_port to the same one that M1 & M2 are
trying to connect on, update tcp_wrappers hosts.allow file to allow M1 & M2 to
connect, then if you have selinux, you need to tell it what port you are
using, and you also need to punch a hole in your firewall for that port.
> And you are able to load and list the 2 rules I sent above? Can
you find
> the results with ausearch --start today -k mkexe -m SYSCALL ?
Yes, I could load that rules and this is what si loaded when a file gets
eecution rights:
This looks fine. It should be working for you, then.
-Steve