Re: audisp-prelude problems

On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote: > I recompiled sshd with support for pam on the gentoo machine and the > following event is logged when using "UsePAM yes" in sshd_config file: > > node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308 > uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5 This is from the kernel when pam_loginuid sets the loginuid. Its very important for all entry point daemons to set this (login, remote, gdm, sshd, kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit events. I believe that recent pam versions (0.9 or higher) automatically use libaudit if its present when compiling. You might double check what ./configure --help shows on your distro. > And also on fedora machine events are generated when a user is logging > in > local or using a terminal or a console. On gentoo machine no events are > generated when a user is logged in from a terminal or console. There is a fair amount of enabling audit all over the place. I guess this is a disadvantage for a do it yourself distribution. There's things in pam, and probably 10-15 packages that are audit aware. > What is happen on fedora is ok and I also want this happen on gentoo. > Have > you any idea why not the same events are generated on gentoo like is > generated in fedora? I suspect that you needed libaudit built and installed early in the process of building Gentoo if you compiled it yourself. If you didn't build it, then they must not place a high priority on this security feature. I don't follow the Gentoo distribution, so what I just said could be all wrong. But I think if libaudit is missing early in the build process, lots of things won't find it and disable audit support. > Has Fedora something which may not have or may not be included? We send everything upstream so that everyone can benefit. Even that patch for sshd I referred you to was sent upstream, but they have not accepted it. -Steve