On Wednesday 03 December 2008 12:58:24 you wrote: > Another question: Can auditd generate events when a user is logging in > using ssh? That implies ssh use pam?
There are 2 sets of events being sent, auth/acct/session open/close are from pam. But cron sends the same events. So, sshd itself sends another event USER_LOGIN that is to signify that the pam events are associated with a login and what the final result were. > I ask this because I want use audit in a production server and I'm not > allowed to manually install packages. I am allowed to only use emerge to > install packages. At this moment I do not have a USE flag(gentoo specific) > corresponding to --with-linux-audit. I guess Gentoo is unpatched. Things will not work right without that last patch. All analysis software is predicated on seeing that event. > @Steve :) : Can you help me please with audisp-remote? I'll explain again > what I want to do: > Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production. > M3 is a centralized machine events. On M1 and M2 runs auditd and > audisp-remote. > audisp-remote sends events to M3. I know how to configure auditd and > audisp-remote on M1 and M3. What I don't know is what should I do on M3 so > that it can receive events from M1 and M2 and store this events in regular > file. You only have to set its tcp_listen_port to the same one that M1 & M2 are trying to connect on, update tcp_wrappers hosts.allow file to allow M1 & M2 to connect, then if you have selinux, you need to tell it what port you are using, and you also need to punch a hole in your firewall for that port. > > And you are able to load and list the 2 rules I sent above? Can you find > > the results with ausearch --start today -k mkexe -m SYSCALL ? > > Yes, I could load that rules and this is what si loaded when a file gets > eecution rights: This looks fine. It should be working for you, then. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
