Hi. I'm not shure wether this subscribe list is correct one to ask my
question or not. If not, please suggest me where should I post it.
I have been creating an auditing procedure. I am working with 2 different
OSes: CentOS 5.7 (everything is working fine) and Debian 6.0.3 (I am having
problems with this).
My setup for auditd is the same in both places. However on the Debian
system I get no audit events for user authentication for things like ssh
and su. I do properly receive file/directory and syscall events. The
problem is that libpam0g and login packages are compiled without audit
functionality:
CentOS:
> ldd /lib/libpam.so.0
linux-gate.so.1 => (0x00680000)
libdl.so.2 => /lib/libdl.so.2 (0x00601000)
libaudit.so.0 => /lib/libaudit.so.0 (0x0069a000)
libc.so.6 => /lib/libc.so.6 (0x004a6000)
/lib/ld-linux.so.2 (0x00482000)
Debian:
> ldd /lib/libpam.so.0
linux-gate.so.1 => (0xb7733000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb771c000)
libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb76ea000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb75a3000)
/lib/ld-linux.so.2 (0xb7734000)
I managed to recompile login package but I'm having problems with
compilation of libpam0g (/lib/libpam.so.0 containing package):
> sudo dpkg-buildpackage -rfakeroot -b
...
/bin/bash ../../libtool --tag=CC --mode=link gcc
-I../../libpam/include -I../../libpamc/include -I../../libpam_misc/include
-g -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -W -Wall
-Wbad-function-cast -Wcast-align -Wcast-qual -Wmissing-declarations
-Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wstrict-prototypes
-Wwrite-strings -Winline -Wshadow -no-undefined -avoid-version -module
-Wl,--version-script=./../modules.map -Wl,-z,defs -Wl,--as-needed -Wl,-O1
-o pam_selinux.la -rpath /lib/security pam_selinux.lo -L../../libpam -lpam
-lselinux -lcrypt
libtool: link: gcc -shared .libs/pam_selinux.o -Wl,-rpath
-Wl,/home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs
-L/home/fmyoen/tmp/1/pam-1.1.1/libpam
/home/fmyoen/tmp/1/pam-1.1.1/libpam/.libs/libpam.so -lselinux -lcrypt
-Wl,--version-script=./../modules.map -Wl,-z -Wl,defs -Wl,--as-needed
-Wl,-O1 -Wl,-soname -Wl,pam_selinux.so -o .libs/pam_selinux.so
.libs/pam_selinux.o: In function `send_audit_message':
/home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:87:
undefined reference to `audit_open'
/home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux/pam_selinux.c:112:
undefined reference to `audit_log_user_message'
collect2: ld returned 1 exit status
make[4]: *** [pam_selinux.la] Error 1
make[4]: Leaving directory
`/home/fmyoen/tmp/1/pam-1.1.1/modules/pam_selinux'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1/modules'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/fmyoen/tmp/1/pam-1.1.1'
dh_auto_build: make -j1 returned exit code 2
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
Any ideas what should I do? For me it looks like some packages still need
to be recompiled. How can I trace it? Or maybe there is a better way to get
audit events working?
