On Thu, Nov 6, 2008 at 12:00 PM, Wieprecht, Karen M. <[EMAIL PROTECTED]> wrote: > OK, I got ssh logout working. The pam_close_session patch tip was the piece > I needed, thanks. > > I found some good instructions on how to patch and rebuild an rpm package > since I've never done that before > (http://bradthemad.org/tech/notes/patching_rpms.php). I downloaded both the > latest archived openssh src.rpms for fc5 (4.3p2-4.12) and fc6 (4.3p2-25) > and compared the .patch files and the .spec files. I tried to rebuild the > fc5 package with all of the additional .patch files that the fc6 version > used, but at least one of them was causing the compile to fail. Rather than > try to figure out which one was causing the problem, I simplified the specs > to just what I thought I needed to get the auditing of ssh logout working. > I was successful in getting openssh 4.3p2-4.12 to compile with its standard > patches plus the pam-session patch from the 4.3p2-25 src.rpm. I then > replaced the default 4.3p2-4.12 packages with my patched ones, and ssh > logouts are now successfully being audited. > > Thanks all, you've been a big help. > > Karen Wieprecht > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomas Mraz > Sent: Wednesday, November 05, 2008 6:10 PM > To: Justin Mattock > Cc: [email protected]; Wieprecht, Karen M. > Subject: Re: openssh logout not being audited on fc5 > > On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote: >> On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <[EMAIL PROTECTED]> wrote: >> > On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote: >> >> All, >> >> been google-ing all day, so sorry if this info is common knowledge, >> >> but I can't seem to find it. >> >> >> >> Trying to build FC5 (2.6.20-1.2320-fc5) system to meet a sponsor >> >> requirement (miserable task that it is), and I have to make this >> >> system be NISPOM compliant. Unfortunately, ssh logout isn't showing >> >> up in my audit logs, and although I have an idea why, I can't seem >> >> to find what I think I need ... The system I am building has the >> >> following: >> >> >> >> OS = FC5 >> >> audit subsystem = 1.3-2 >> >> openssh = 4.3p2-4.12 >> >> kernel = 2.6.20-1.2320-fc5 >> >> >> >> My RHEL4 systems capture ssh logout just fine , and they are at >> >> earlier versions of both openssh and the audit subsystem... I found >> >> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix >> >> the ssh logout problem for (I think) SuSe 10.1, so I thought I'd >> >> try and find a later version of open ssh or at least a src.rpm to >> >> build a newer version for fc5 , but I didn't have much luck. Found >> >> a 4.3p2-16 src.rpm for el5, but of course, that didn't build >> >> properly on my fc5 system . >> >> >> >> Anyone know if I'm chasing my tail? maybe something else will fix >> >> this for FC5 (newer audit pkg? )? Recommendations would be most >> >> appreciated. If you all think I DO need a newer openssh version, >> >> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12? >> > >> > You could try to add the relevant patch from the RHEL 5 openssh >> > src.rpm to the FC5 package. But is it really good idea to use such >> > old package at all? There are unfixed CVEs and so on. Of course this >> > applies to the rest of the FC5 distribution as well. >> > -- >> > Tomas Mraz >> > No matter how far down the wrong road you've gone, turn back. >> > Turkish proverb >> > >> > -- >> > Linux-audit mailing list >> > [email protected] >> > https://www.redhat.com/mailman/listinfo/linux-audit >> > >> >> out of curiosity would this have something to do with the audit=1 >> option as a boot param? > > Nope. The old (or unpatched) openssh just called pam_close_session() > incorrectly. > > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit >
What about using session required pam_selinux.so multiple (not sure which is older) but from what I remember the open and close option's just recently were being used, or at least I started to notice these options. -- Justin P. Mattock -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
