I just installed Fedora Core 10 on VmWare machine and auditd/audisp-prelude seams to work fine.
I recompiled sshd with support for pam on the gentoo machine and the following event is logged when using "UsePAM yes" in sshd_config file: node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308 uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5 This is the only event which was generated when a user is logged in using ssh. On fedora machine more events are generate when a user is logged in using ssh: node=127.0.0.1 type=USER_LOGIN msg=audit(1228402657.814:16): user pid=2735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='acct="darkone": exe="/usr/sbin/sshd" (hostname=?, addr=172.16.53.1, terminal=sshd res=failed)' node=127.0.0.1 type=USER_AUTH msg=audit(1228402662.417:17): user pid=2735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)' node=127.0.0.1 type=USER_ACCT msg=audit(1228402662.425:18): user pid=2735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)' node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.428:19): user pid=2735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)' node=127.0.0.1 type=LOGIN msg=audit(1228402662.430:20): login pid=2735 uid=0 old auid=4294967295 new auid=500 old ses=4294967295 new ses=4 node=127.0.0.1 type=USER_START msg=audit(1228402662.430:21): user pid=2735 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)' node=127.0.0.1 type=CRED_ACQ msg=audit(1228402662.432:22): user pid=2740 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="darkone" exe="/usr/sbin/sshd" (hostname=172.16.53.1, addr=172.16.53.1, terminal=ssh res=success)' node=127.0.0.1 type=USER_LOGIN msg=audit(1228402662.435:23): user pid=2735 uid=0 auid=500 ses=4 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/sshd" (hostname=172.16.53.1, addr=172.16.53.1, terminal=/dev/pts/2 res=success)' And also on fedora machine events are generated when a user is logging in local or using a terminal or a console. On gentoo machine no events are generated when a user is logged in from a terminal or console. Pam configuration on gentoo: # cat /etc/pam.d/sshd auth required pam_tally.so file=/var/log/faillog onerr=succeed auth required pam_shells.so auth required pam_nologin.so auth include system-auth account required pam_access.so account required pam_nologin.so account include system-auth account required pam_tally.so file=/var/log/faillog onerr=succeed password include system-auth session required pam_loginuid.so session optional pam_console.so session required pam_env.so session optional pam_lastlog.so session include system-auth session optional pam_motd.so motd=/etc/motd session optional pam_mail.so PAM configuration on Fedora machine: # cat /etc/pam.d/sshd auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_loginuid.so session optional pam_keyinit.so force revoke # cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so What is happen on fedora is ok and I also want this happen on gentoo. Have you any idea why not the same events are generated on gentoo like is generated in fedora? I have to add something else to pam on gentoo? Has Fedora something which may not have or may not be included? > On Wednesday 03 December 2008 12:58:24 you wrote: >> Another question: Can auditd generate events when a user is logging in >> using ssh? That implies ssh use pam? > > There are 2 sets of events being sent, auth/acct/session open/close are > from > pam. But cron sends the same events. So, sshd itself sends another event > USER_LOGIN that is to signify that the pam events are associated with a > login > and what the final result were. > > >> I ask this because I want use audit in a production server and I'm not >> allowed to manually install packages. I am allowed to only use emerge to >> install packages. At this moment I do not have a USE flag(gentoo >> specific) >> corresponding to --with-linux-audit. > > I guess Gentoo is unpatched. Things will not work right without that last > patch. All analysis software is predicated on seeing that event. > > >> @Steve :) : Can you help me please with audisp-remote? I'll explain >> again >> what I want to do: >> Lets say I have 3 machines(M1 M2 M3). M1 and M2 are 2 server production. >> M3 is a centralized machine events. On M1 and M2 runs auditd and >> audisp-remote. >> audisp-remote sends events to M3. I know how to configure auditd and >> audisp-remote on M1 and M3. What I don't know is what should I do on M3 >> so >> that it can receive events from M1 and M2 and store this events in >> regular >> file. > > You only have to set its tcp_listen_port to the same one that M1 & M2 are > trying to connect on, update tcp_wrappers hosts.allow file to allow M1 & > M2 to > connect, then if you have selinux, you need to tell it what port you are > using, and you also need to punch a hole in your firewall for that port. > > >> > And you are able to load and list the 2 rules I sent above? Can you >> find >> > the results with ausearch --start today -k mkexe -m SYSCALL ? >> >> Yes, I could load that rules and this is what si loaded when a file gets >> eecution rights: > > This looks fine. It should be working for you, then. > > -Steve > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
