Re: openssh logout not being audited on fc5

On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <tmraz(a)redhat.com&gt; wrote: > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: >> All, >> been google-ing all day, so sorry if this info is common knowledge, >> but I can't seem to find it. >> >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor >> requirement (miserable task that it is), and I have to make this >> system be NISPOM compliant. Unfortunately, ssh logout isn't showing >> up in my audit logs, and although I have an idea why, I can't seem to >> find what I think I need ... The system I am building has the >> following: >> >> OS = FC5 >> audit subsystem = 1.3-2 >> openssh = 4.3p2-4.12 >> kernel = 2.6.20-1.2320-fc5 >> >> My RHEL4 systems capture ssh logout just fine , and they are at >> earlier versions of both openssh and the audit subsystem... I found >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the >> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try and >> find a later version of open ssh or at least a src.rpm to build a >> newer version for fc5 , but I didn't have much luck. Found a 4.3p2-16 >> src.rpm for el5, but of course, that didn't build properly on my fc5 >> system . >> >> Anyone know if I'm chasing my tail? maybe something else will fix >> this for FC5 (newer audit pkg? )? Recommendations would be most >> appreciated. If you all think I DO need a newer openssh version, >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? > > You could try to add the relevant patch from the RHEL 5 openssh src.rpm > to the FC5 package. But is it really good idea to use such old package > at all? There are unfixed CVEs and so on. Of course this applies to the > rest of the FC5 distribution as well. > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > out of curiosity would this have something to do with the audit=1 option as a boot param?