2:37 a.m.
Hello all,
I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the audit.log I get no
USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and USER_LOGIN record types at all, Only
USER_LOGIN types.
As I understand these records should be there without any rules set.
https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html
On another server with kernel version 4.9 it works properly. Is there a possibility that
this Audit functionality is not implemented in kernel version 3.2, or is this just a
configuration issue on my side?
We have too many Debian 3.x production servers to consider kernel upgrade being an
option.
If it's a kernel issue, could you please recommend any workaround? Currently I am
thinking on parsing the auth.log
Many thanks,
Robert
auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
7:30 a.m.
Hello,
On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote:
I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in
the
audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and
USER_LOGIN record types at all, Only USER_LOGIN types.
As I understand these records should be there without any rules set.
https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html
Yes. These are sent by pam. So, the question would be, is your copy of pam
compiled with audit support?
ldd /usr/lib64/libpam_misc.so | grep libaudit
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f06c2c39000)
On another server with kernel version 4.9 it works properly. Is there
a
possibility that this Audit functionality is not implemented in kernel
version 3.2, or is this just a configuration issue on my side?
This should be pam.
-Steve
We have too many Debian 3.x production servers to consider kernel
upgrade
being an option.
If it's a kernel issue, could you please recommend any workaround?
Currently I am thinking on parsing the auth.log
Many thanks,
Robert
auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
10:11 a.m.
Steve, thank you for your quick response!
Indeed, that's the problem. My copy of PAM is not compiled with audit support.
Many thanks, again,
Robert
-------- Eredeti levél --------
Feladó: Steve Grubb <sgrubb(a)redhat.com>
Dátum: 2019 május 30 14:31:19
Tárgy: Re: Missing login records - Audit functionality in different kernel versions
Címzett: linux-audit(a)redhat.com
Hello,
On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote:
I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in
the
audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and
USER_LOGIN record types at all, Only USER_LOGIN types.
As I understand these records should be there without any rules set.
https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html
Yes. These are sent by pam. So, the question would be, is your copy of pam
compiled with audit support?
ldd /usr/lib64/libpam_misc.so | grep libaudit
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f06c2c39000)
On another server with kernel version 4.9 it works properly. Is there
a
possibility that this Audit functionality is not implemented in kernel
version 3.2, or is this just a configuration issue on my side?
This should be pam.
-Steve
We have too many Debian 3.x production servers to consider kernel
upgrade
being an option.
If it's a kernel issue, could you please recommend any workaround?
Currently I am thinking on parsing the auth.log
Many thanks,
Robert
auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
2033
days inactive
2033
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Róbert Nagy -
Steve Grubb