I just installed Fedora Core 10 on VmWare machine and
auditd/audisp-prelude seams to work fine.
I recompiled sshd with support for pam on the gentoo machine and the
following event is logged when using "UsePAM yes" in sshd_config file:
node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
This is the only event which was generated when a user is logged in using
ssh.
On fedora machine more events are generate when a user is logged in using
ssh:
node=127.0.0.1 type=USER_LOGIN msg=audit(1228402657.814:16): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="darkone":
exe="/usr/sbin/sshd" (hostname=?, addr=172.16.53.1, terminal=sshd
res=failed)'
node=127.0.0.1 type=USER_AUTH msg=audit(1228402662.417:17): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_ACCT msg=audit(1228402662.425:18): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.428:19): user pid=2735
uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred
acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=LOGIN msg=audit(1228402662.430:20): login pid=2735
uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=4
node=127.0.0.1 type=USER_START msg=audit(1228402662.430:21): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:session_open acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.432:22): user pid=2740
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=PAM:setcred acct="darkone" exe="/usr/sbin/sshd"
(hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)'
node=127.0.0.1 type=USER_LOGIN msg=audit(1228402662.435:23): user pid=2735
uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='uid=500: exe="/usr/sbin/sshd" (hostname=172.16.53.1,
addr=172.16.53.1, terminal=/dev/pts/2 res=success)'
And also on fedora machine events are generated when a user is logging in
local or using a terminal or a console. On gentoo machine no events are
generated when a user is logged in from a terminal or console.
Pam configuration on gentoo:
# cat /etc/pam.d/sshd
auth required pam_tally.so file=/var/log/faillog onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally.so file=/var/log/faillog onerr=succeed
password include system-auth
session required pam_loginuid.so
session optional pam_console.so
session required pam_env.so
session optional pam_lastlog.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
PAM configuration on Fedora machine:
# cat /etc/pam.d/sshd
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
# cat /etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
What is happen on fedora is ok and I also want this happen on gentoo. Have
you any idea why not the same events are generated on gentoo like is
generated in fedora? I have to add something else to pam on gentoo? Has
Fedora something which may not have or may not be included?
On Wednesday 03 December 2008 12:58:24 you wrote:
> Another question: Can auditd generate events when a user is logging in
> using ssh? That implies ssh use pam?
There are 2 sets of events being sent, auth/acct/session open/close are
from
pam. But cron sends the same events. So, sshd itself sends another event
USER_LOGIN that is to signify that the pam events are associated with a
login
and what the final result were.
> I ask this because I want use audit in a production server and I'm not
> allowed to manually install packages. I am allowed to only use emerge to
> install packages. At this moment I do not have a USE flag(gentoo
> specific)
> corresponding to --with-linux-audit.
I guess Gentoo is unpatched. Things will not work right without that last
patch. All analysis software is predicated on seeing that event.
> @Steve :) : Can you help me please with audisp-remote? I'll explain
> again
> what I want to do:
> Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production.
> M3 is a centralized machine events. On M1 and M2 runs auditd and
> audisp-remote.
> audisp-remote sends events to M3. I know how to configure auditd and
> audisp-remote on M1 and M3. What I don't know is what should I do on M3
> so
> that it can receive events from M1 and M2 and store this events in
> regular
> file.
You only have to set its tcp_listen_port to the same one that M1 & M2 are
trying to connect on, update tcp_wrappers hosts.allow file to allow M1 &
M2 to
connect, then if you have selinux, you need to tell it what port you are
using, and you also need to punch a hole in your firewall for that port.
> > And you are able to load and list the 2 rules I sent above? Can you
> find
> > the results with ausearch --start today -k mkexe -m SYSCALL ?
>
> Yes, I could load that rules and this is what si loaded when a file gets
> eecution rights:
This looks fine. It should be working for you, then.
-Steve