Re: openssh logout not being audited on fc5

On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: > On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <tmraz(a)redhat.com&gt; wrote: >> On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: >>> All, >>> been google-ing all day, so sorry if this info is common knowledge, >>> but I can't seem to find it. >>> >>> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor >>> requirement (miserable task that it is), and I have to make this >>> system be NISPOM compliant. Unfortunately, ssh logout isn't >>> showing >>> up in my audit logs, and although I have an idea why, I can't >>> seem to >>> find what I think I need ... The system I am building has the >>> following: >>> >>> OS = FC5 >>> audit subsystem = 1.3-2 >>> openssh = 4.3p2-4.12 >>> kernel = 2.6.20-1.2320-fc5 >>> >>> My RHEL4 systems capture ssh logout just fine , and they are at >>> earlier versions of both openssh and the audit subsystem... I >>> found >>> a note from a colleague about needing openssh >= 4.3p2-4.13 to >>> fix the >>> ssh logout problem for (I think) SuSe 10.1, so I thought I'd try >>> and >>> find a later version of open ssh or at least a src.rpm to build a >>> newer version for fc5 , but I didn't have much luck. Found a >>> 4.3p2-16 >>> src.rpm for el5, but of course, that didn't build properly on my >>> fc5 >>> system . >>> >>> Anyone know if I'm chasing my tail? maybe something else will fix >>> this for FC5 (newer audit pkg? )? Recommendations would be most >>> appreciated. If you all think I DO need a newer openssh version, >>> anyone know where I can get a src.rpm for fc5 later than >>> 4.3p2-4.12? >> >> You could try to add the relevant patch from the RHEL 5 openssh >> src.rpm >> to the FC5 package. But is it really good idea to use such old >> package >> at all? There are unfixed CVEs and so on. Of course this applies >> to the >> rest of the FC5 distribution as well. >> -- >> Tomas Mraz >> No matter how far down the wrong road you've gone, turn back. >> Turkish proverb >> >> -- >> Linux-audit mailing list >> Linux-audit(a)redhat.com >> https://www.redhat.com/mailman/listinfo/linux-audit >> > > out of curiosity would this have something > to do with the audit=1 option as a boot param? Nope. The old (or unpatched) openssh just called pam_close_session() incorrectly. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb