Thanks a lot Steve, now it works. It was because pam was not compiled with audit support. Now events are generated when a user is logged from a console, terminal or when using ssh.
Now I'll have to user audisp-remote plugin to centralize events. > On Thursday 04 December 2008 08:10:21 Loredan Stancu wrote: >> I recompiled sshd with support for pam on the gentoo machine and the >> following event is logged when using "UsePAM yes" in sshd_config file: >> >> node=127.0.0.1 type=LOGIN msg=audit(1228395162.690:12): login pid=5308 >> uid=0 old auid=4294967295 new auid=1000 old ses=4294967295 new ses=5 > > This is from the kernel when pam_loginuid sets the loginuid. Its very > important for all entry point daemons to set this (login, remote, gdm, > sshd, > kdm, xdm, vsftpd, ...) You also need pam itself enabled to send audit > events. > I believe that recent pam versions (0.9 or higher) automatically use > libaudit > if its present when compiling. You might double check what ./configure > --help > shows on your distro. > > >> And also on fedora machine events are generated when a user is logging >> in >> local or using a terminal or a console. On gentoo machine no events are >> generated when a user is logged in from a terminal or console. > > There is a fair amount of enabling audit all over the place. I guess this > is a > disadvantage for a do it yourself distribution. There's things in pam, and > probably 10-15 packages that are audit aware. > > >> What is happen on fedora is ok and I also want this happen on gentoo. >> Have >> you any idea why not the same events are generated on gentoo like is >> generated in fedora? > > I suspect that you needed libaudit built and installed early in the > process of > building Gentoo if you compiled it yourself. If you didn't build it, then > they > must not place a high priority on this security feature. I don't follow > the > Gentoo distribution, so what I just said could be all wrong. But I think > if > libaudit is missing early in the build process, lots of things won't find > it > and disable audit support. > > >> Has Fedora something which may not have or may not be included? > > We send everything upstream so that everyone can benefit. Even that patch > for > sshd I referred you to was sent upstream, but they have not accepted it. > > -Steve > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
