1:28 a.m.
Hi Team,
I have two queries.
1)I am trying to run the auditd (start/stop) without root user as normal user , how to
achieve this on linux.?2)i am using kernel version 4.19.97 nd i ma not getting any
login/logout, authentication fail/pass log data in audit.log file. DOes it need any
changes in the config or rules..
Please help me out on these query. Any answer would be appreciable.
Regards,Rakesh
9:27 a.m.
On Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
1)I am trying to run the auditd (start/stop) without root user as
normal
user , how to achieve this on linux.?
For security reasons, this is not allowed.
2)i am using kernel version 4.19.97 and i am not getting any
login/logout,
authentication fail/pass log data in audit.log file. DOes it need any
changes in the config or rules..
This is hardwired into pam. The rules don't matter. I'd check that pam was
compiled with audit support and that audit is enabled in the kernel.
-Steve
2:40 a.m.
Sent from Yahoo Mail on Android
On Sat, Jul 10, 2021 at 19:57, Steve Grubb<sgrubb(a)redhat.com> wrote: On
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
1)I am trying to run the auditd (start/stop) without root user as
normal
user , how to achieve this on linux.?
For security reasons, this is not allowed.
2)i am using kernel version 4.19.97 and i am not getting any
login/logout,
authentication fail/pass log data in audit.log file. DOes it need any
changes in the config or rules..
This is hardwired into pam. The rules don't matter. I'd check that pam was
compiled with audit support and that audit is enabled in the kernel.
-Steve
2:42 a.m.
Pheba
Sent from Yahoo Mail on Android
On Sat, Jul 10, 2021 at 19:57, Steve Grubb<sgrubb(a)redhat.com> wrote: On
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
1)I am trying to run the auditd (start/stop) without root user as
normal
user , how to achieve this on linux.?
For security reasons, this is not allowed.
2)i am using kernel version 4.19.97 and i am not getting any
login/logout,
authentication fail/pass log data in audit.log file. DOes it need any
changes in the config or rules..
This is hardwired into pam. The rules don't matter. I'd check that pam was
compiled with audit support and that audit is enabled in the kernel.
-Steve
3:19 a.m.
I did not get you, in kernel auditd is enabled like kauditd is running then what exactly
we have to do changes in my system to get full login n log out info in audit. Log file.
Please help me in giving steps to follow.
Regards,Rakesh
Sent from Yahoo Mail on Android
On Sat, Jul 10, 2021 at 19:57, Steve Grubb<sgrubb(a)redhat.com> wrote: On
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
1)I am trying to run the auditd (start/stop) without root user as
normal
user , how to achieve this on linux.?
For security reasons, this is not allowed.
2)i am using kernel version 4.19.97 and i am not getting any
login/logout,
authentication fail/pass log data in audit.log file. DOes it need any
changes in the config or rules..
This is hardwired into pam. The rules don't matter. I'd check that pam was
compiled with audit support and that audit is enabled in the kernel.
-Steve
11:18 a.m.
On Thursday, July 29, 2021 4:19:16 AM EDT Rakesh Kumar wrote:
I did not get you, in kernel auditd is enabled like kauditd is
running then
what exactly we have to do changes in my system to get full login n log
out info in audit. Log file.
Logging in/out is done in 2 places. First, pam records what it knows. But the
entry point daemon is also supposed to send USER_LOGIN and USER_LOGOUT
events.
Complete information is here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-L...
Gdm, Kdm, and sshd all have been updated to record these events. All that is
needed is to configure --with-audit during the package build. By now, I would
expect all distros to do that.
-Steve
On Sat, Jul 10, 2021 at 19:57, Steve Grubb<sgrubb(a)redhat.com>
wrote: On
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
> 1)I am trying to run the auditd (start/stop) without root user
as normal
> user , how to achieve this on linux.?
For security reasons, this is not allowed.
> 2)i am using kernel version 4.19.97 and i am not getting any
> login/logout,
> authentication fail/pass log data in audit.log file. DOes it need any
> changes in the config or rules..
This is hardwired into pam. The rules don't matter. I'd check that pam was
compiled with audit support and that audit is enabled in the kernel.
-Steve
11:47 p.m.
Hi Team,
1)I am using this version of auditctl version 2.4.4 . So does this version has the user
login/logout info to log into audit.log ?
2) If u to want to see the pam.d/login file configuration to check why its not logging
the login/logout info then please let me know about this , i will be happy to share that
file.or if it needs other pam file to check also please let me know that also.
As i see in my system that [kauditd] is running so it log all login info.
Please help me on this .
Regards,Rakesh On Thursday, July 29, 2021, 09:49:03 PM GMT+5:30, Steve Grubb
<sgrubb(a)redhat.com> wrote:
On Thursday, July 29, 2021 4:19:16 AM EDT Rakesh Kumar wrote:
I did not get you, in kernel auditd is enabled like kauditd is
running then
what exactly we have to do changes in my system to get full login n log
out info in audit. Log file.
Logging in/out is done in 2 places. First, pam records what it knows. But the
entry point daemon is also supposed to send USER_LOGIN and USER_LOGOUT
events.
Complete information is here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-L...
Gdm, Kdm, and sshd all have been updated to record these events. All that is
needed is to configure --with-audit during the package build. By now, I would
expect all distros to do that.
-Steve
On Sat, Jul 10, 2021 at 19:57, Steve Grubb<sgrubb(a)redhat.com>
wrote: On
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
> 1)I am trying to run the auditd (start/stop) without root user
as normal
> user , how to achieve this on linux.?
For security reasons, this is not allowed.
> 2)i am using kernel version 4.19.97 and i am not getting any
> login/logout,
> authentication fail/pass log data in audit.log file. DOes it need any
> changes in the config or rules..
This is hardwired into pam. The rules don't matter. I'd check that pam was
compiled with audit support and that audit is enabled in the kernel.
-Steve
8:42 a.m.
On Saturday, August 7, 2021 12:47:56 AM EDT Rakesh Kumar wrote:
1)I am using this version of auditctl version 2.4.4 . So does this
version
has the user login/logout info to log into audit.log ?
This is not the responsibility of auditd. Auditd provides libaudit.
Applications use that to create log events. It is the reposibility of system
entry point daemons to log the event. User login events have been supported
as long as I can remember.
2) If u to want to see the pam.d/login file configuration to check
why its
not logging the login/logout info then please let me know about this,
It's not configurable by an end user. Its configured at compile time. You would
want to look at the build logs for pam and entrypoint daemons such as sshd,
gdm, kdm, etc.
-Steve
12:48 p.m.
Hi Team,
The user login/logout information is being logged into auth.log file but not being logged
into audit.log .it means that sshd, pam configuration is working for auth.log file then
why its not working for audit.log, so where could be the problem, for this not being
logged into audit.log file .
Where should i investigate.?
Regards,Rakesh On Sunday, August 8, 2021, 07:12:17 PM GMT+5:30, Steve Grubb
<sgrubb(a)redhat.com> wrote:
On Saturday, August 7, 2021 12:47:56 AM EDT Rakesh Kumar wrote:
1)I am using this version of auditctl version 2.4.4 . So does this
version
has the user login/logout info to log into audit.log ?
This is not the responsibility of auditd. Auditd provides libaudit.
Applications use that to create log events. It is the reposibility of system
entry point daemons to log the event. User login events have been supported
as long as I can remember.
2) If u to want to see the pam.d/login file configuration to check
why its
not logging the login/logout info then please let me know about this,
It's not configurable by an end user. Its configured at compile time. You would
want to look at the build logs for pam and entrypoint daemons such as sshd,
gdm, kdm, etc.
-Steve
12:53 p.m.
Or do i need any specific rules in the /etc/auditd/rules.d/audit.rules for this
login/logout info to be logged ,?
if yes then please suggest on this.
Rakesh On Sunday, August 8, 2021, 11:18:00 PM GMT+5:30, Rakesh Kumar
<rakesh_kumar2554(a)yahoo.com> wrote:
Hi Team,
The user login/logout information is being logged into auth.log file but not being logged
into audit.log .it means that sshd, pam configuration is working for auth.log file then
why its not working for audit.log, so where could be the problem, for this not being
logged into audit.log file .
Where should i investigate.?
Regards,Rakesh On Sunday, August 8, 2021, 07:12:17 PM GMT+5:30, Steve Grubb
<sgrubb(a)redhat.com> wrote:
On Saturday, August 7, 2021 12:47:56 AM EDT Rakesh Kumar wrote:
1)I am using this version of auditctl version 2.4.4 . So does this
version
has the user login/logout info to log into audit.log ?
This is not the responsibility of auditd. Auditd provides libaudit.
Applications use that to create log events. It is the reposibility of system
entry point daemons to log the event. User login events have been supported
as long as I can remember.
2) If u to want to see the pam.d/login file configuration to check
why its
not logging the login/logout info then please let me know about this,
It's not configurable by an end user. Its configured at compile time. You would
want to look at the build logs for pam and entrypoint daemons such as sshd,
gdm, kdm, etc.
-Steve
10:19 p.m.
On Sunday, August 8, 2021 1:48:00 PM EDT you wrote:
The user login/logout information is being logged into auth.log file
but
not being logged into audit.log .it means that sshd, pam configuration is
working for auth.log file then why its not working for audit.log, so where
could be the problem, for this not being logged into audit.log file .
Where should i investigate.?
As I said, the build logs. Listen, do not keep sending emails saying this is
not working please help. I have no idea what distribution you are using or if
you have even contacted them. If you are using a distribution, please contact
them.
You point to syslog and ask why audit is not working. Audit doesn't send to
syslog, it sends to auditd unless auditd is not running. Is it?
Audit is working for all distributions I know of. If it's not working for
you, it is incumbent on you to explain what your system is using and how
you've checked it. Try ldd for example to see if pam is actually linked
aginst libaudit.
-Steve
1230
days inactive
1260
days old
linux-audit@lists.linux-audit.osci.io
10 comments
2 participants
participants (2)
-
Rakesh Kumar -
Steve Grubb