Hi,
Got things working on RHEL 64 bit (my target platform). Figured I'd post my
final results.
I was able to get login/logout auditing to work on RHEL 4 by updating the
following packages from the original distribution.
kernel-smp-2.6.9-55.EL.x86_64 (or non-smp)
kernel-smp-devel-2.6.9-55.EL.x86_64 (or non-smp)
glibc-kernheaders-2.4_9.1.100.EL.x86_64
audit-libs-1.0.15-3.EL4.x86_64
audit-1.0.15-3.EL4.x86_64
gdm-2.6.0.5-7.rhel4.15.x86_64.rpm
glibc-kernheaders-2.4-9.1.100.EL.x86_64.rpm
openssh-3.9p1-8.RHEL4.17.1.x86_64.rpm
openssh-askpass-3.9p1-8.RHEL4.17.1.x86_64.rpm
openssh-askpass-gnome-3.9p1-8.RHEL4.17.1.x86_64.rpm
openssh-clients-3.9p1-8.RHEL4.17.1.x86_64.rpm
openssh-server-3.9p1-8.RHEL4.17.1.x86_64.rpm
pam-0.77-66.21.x86_64.rpm
This give me enough info that I can generate failed and successful logins for
gdm/ssh/su and also generate logout information. Turns out that the version of
ssh available for RHEL4 doesn't generate a USER_END event, but does generate a
CRED_DISP event which is good enough for my GUI to generate viewable logs.
One note of interest, in earlier posts, it was recommended to set audit=1 in
/etc/grub.conf. I found that if I did so it suppressed login/logout information.
Bob Evans
JHU/APL