OK, I got ssh logout working. The pam_close_session patch tip was the piece I needed, thanks.
I found some good instructions on how to patch and rebuild an rpm package since I've never done that before (http://bradthemad.org/tech/notes/patching_rpms.php). I downloaded both the latest archived openssh src.rpms for fc5 (4.3p2-4.12) and fc6 (4.3p2-25) and compared the .patch files and the .spec files. I tried to rebuild the fc5 package with all of the additional .patch files that the fc6 version used, but at least one of them was causing the compile to fail. Rather than try to figure out which one was causing the problem, I simplified the specs to just what I thought I needed to get the auditing of ssh logout working. I was successful in getting openssh 4.3p2-4.12 to compile with its standard patches plus the pam-session patch from the 4.3p2-25 src.rpm. I then replaced the default 4.3p2-4.12 packages with my patched ones, and ssh logouts are now successfully being audited. Thanks all, you've been a big help. Karen Wieprecht -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomas Mraz Sent: Wednesday, November 05, 2008 6:10 PM To: Justin Mattock Cc: [email protected]; Wieprecht, Karen M. Subject: Re: openssh logout not being audited on fc5 On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: > On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <[EMAIL PROTECTED]> wrote: > > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: > >> All, > >> been google-ing all day, so sorry if this info is common knowledge, > >> but I can't seem to find it. > >> > >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor > >> requirement (miserable task that it is), and I have to make this > >> system be NISPOM compliant. Unfortunately, ssh logout isn't showing > >> up in my audit logs, and although I have an idea why, I can't seem > >> to find what I think I need ... The system I am building has the > >> following: > >> > >> OS = FC5 > >> audit subsystem = 1.3-2 > >> openssh = 4.3p2-4.12 > >> kernel = 2.6.20-1.2320-fc5 > >> > >> My RHEL4 systems capture ssh logout just fine , and they are at > >> earlier versions of both openssh and the audit subsystem... I found > >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix > >> the ssh logout problem for (I think) SuSe 10.1, so I thought I'd > >> try and find a later version of open ssh or at least a src.rpm to > >> build a newer version for fc5 , but I didn't have much luck. Found > >> a 4.3p2-16 src.rpm for el5, but of course, that didn't build > >> properly on my fc5 system . > >> > >> Anyone know if I'm chasing my tail? maybe something else will fix > >> this for FC5 (newer audit pkg? )? Recommendations would be most > >> appreciated. If you all think I DO need a newer openssh version, > >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? > > > > You could try to add the relevant patch from the RHEL 5 openssh > > src.rpm to the FC5 package. But is it really good idea to use such > > old package at all? There are unfixed CVEs and so on. Of course this > > applies to the rest of the FC5 distribution as well. > > -- > > Tomas Mraz > > No matter how far down the wrong road you've gone, turn back. > > Turkish proverb > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > out of curiosity would this have something to do with the audit=1 > option as a boot param? Nope. The old (or unpatched) openssh just called pam_close_session() incorrectly. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
