12:01 p.m.
Hi,
I need some help with configuration. First, I do not remember how to
tell the version of the auditd I am running. I tried to get it by
pulling strings with no success. The larger problem is I am configuring
a RHEL4U5 system. I have a RHEL4U4 system that runs correctly and
supplies the AUID when specified with aureport. The RHEL4U5 system has
this parameter as "unset" rather than the AUID or uid or anything else
to identify who was attempting to run failed commands.
If someone can help me with what needs to be set, I would appreciate it.
I compared all of the obvious files, such as all pam files, the
audit.rules, auditd.conf and syslog.conf and they all seem to be the
same.
Both systems run Linux 2.6.9-42.ELsmp.
Thanks in advance.
David A. Kirkwood
1:07 p.m.
I need some help with configuration. First, I do not remember how to
tell the version of the auditd I am running. I tried to get it by
pulling strings with no success.
To identify the audit version you're running, you could use the package
version+release or possibly something like
$ audearch -m DAEMON_START
Look for the last message and for the 'ver=' field.
If someone can help me with what needs to be set, I would appreciate
it.
I compared all of the obvious files, such as all pam files, the
audit.rules, auditd.conf and syslog.conf and they all seem to be the
same.
Make sure you have 'session required pam_loginuid.so' entries
in your pam configuration (/etc/pam.d/{atd,crond,login,remote,sshd})
restart system after that...
Klaus
--
Klaus Heinrich Kiwi/Brazil/IBM <klausk(a)br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]
1:18 p.m.
$ audearch -m DAEMON_START
read that as $ausearch -m DAEMON_START
The best option would still be just 'rpm -q audit' and check the output
--
Klaus Heinrich Kiwi/Brazil/IBM <klausk(a)br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]
1:42 p.m.
Thanks Klaus,
The ausearch -m DAEMON_START returns version 1.0.14 for auditd on both systems. I grepped
for loginuid.so in the pam.d directory and it appears in all of the same pam entries on
both systems.
No luck yet, however I appreciate your help.
David A. Kirkwood
>
> I need some help with configuration. First, I do not remember how to
> tell the version of the auditd I am running. I tried to get it by
> pulling strings with no success.
To identify the audit version you're running, you could use the package
version+release or possibly >something like
$ audearch -m DAEMON_START
Look for the last message and for the 'ver=' field.
> If someone can help me with what needs to be set, I would appreciate it.
> I compared all of the obvious files, such as all pam files, the
> audit.rules, auditd.conf and syslog.conf and they all seem to be the
> same.
Make sure you have 'session required pam_loginuid.so' entries in
your pam configuration >(/etc/pam.d/{atd,crond,login,remote,sshd})
restart system after that...
Klaus
--
Klaus Heinrich Kiwi/Brazil/IBM <klausk(a)br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]
4:25 p.m.
On Thursday 06 December 2007 02:42:30 pm Kirkwood, David A. wrote:
The ausearch -m DAEMON_START returns version 1.0.14 for auditd on
both
systems. I grepped for loginuid.so in the pam.d directory and it appears in
all of the same pam entries on both systems. No luck yet, however I
appreciate your help.
Do you have audit=1 as kernel boot option?
-Steve
8:30 a.m.
Thanks Steve. That worked. What I don't understand is that it is not in
the system that already worked.
Thanks again,
David A. Kirkwood
On Thursday 06 December 2007 02:42:30 pm Kirkwood, David A. wrote:
> The ausearch -m DAEMON_START returns version 1.0.14 for auditd on
both
> systems. I grepped for loginuid.so in the pam.d directory and it
appears >>in
> all of the same pam entries on both systems. No luck yet, however
I
> appreciate your help.
Do you have audit=1 as kernel boot option?
-Steve
6225
days inactive
6226
days old
linux-audit@lists.linux-audit.osci.io
5 comments
3 participants
participants (3)
-
Kirkwood, David A. -
klausk@br.ibm.com -
Steve Grubb