On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote:
I recompiled sshd with support for pam on the gentoo machine and the
following event is logged when using "UsePAM yes" in sshd_config file:
node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308
uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5
This is from the kernel when pam_loginuid sets the loginuid. Its very
important for all entry point daemons to set this (login, remote, gdm, sshd,
kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit events.
I believe that recent pam versions (0.9 or higher) automatically use libaudit
if its present when compiling. You might double check what ./configure --help
shows on your distro.
And also on fedora machine events are generated when a user is
logging in
local or using a terminal or a console. On gentoo machine no events are
generated when a user is logged in from a terminal or console.
There is a fair amount of enabling audit all over the place. I guess this is a
disadvantage for a do it yourself distribution. There's things in pam, and
probably 10-15 packages that are audit aware.
What is happen on fedora is ok and I also want this happen on gentoo.
Have
you any idea why not the same events are generated on gentoo like is
generated in fedora?
I suspect that you needed libaudit built and installed early in the process of
building Gentoo if you compiled it yourself. If you didn't build it, then they
must not place a high priority on this security feature. I don't follow the
Gentoo distribution, so what I just said could be all wrong. But I think if
libaudit is missing early in the build process, lots of things won't find it
and disable audit support.
Has Fedora something which may not have or may not be included?
We send everything upstream so that everyone can benefit. Even that patch for
sshd I referred you to was sent upstream, but they have not accepted it.
-Steve