On Wed, 2009-02-18 at 16:58 -0500, Dan Gruhn wrote: > I''m working on an X86_64 RHEL 5.2 system and for NISPOM Chapt. 8 I'm > looking to modify the audisp-prelude plugin so that I can get logout > events displayed. > > I see the information in the audit.log as USER_END and have done a small > mod in the handle_event routine in audisp-prelude.c so that it looks for > AUDIT_USER_END but I've run across the following things: > > 1) sshd goes through a login/logout cycle ending in USER_END and all is > good. > node=node01 type=USER_END msg=audit(1234979707.894:203): user pid=7422 > uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 > msg='PAM: session close acct="root" : exe="/usr/sbin/sshd" > (hostname=master, addr=10.1.4.100, terminal=ssh res=success)' > > > > 2) gdm-binary goes through the same login/logout cycle, but on the > USER_END audit message it is missing some information, in particular the > source hostname: > node=master type=USER_END msg=audit(1234988646.589:364): user pid=6868 > uid=0 auid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: > session close acct="root" : exe="/usr/sbin/gdm-binary" (hostname=?, > addr=?, terminal=:0 res=success)' > > 3) When crond runs, it goes through a similar cycle (but without the > USER_LOGIN step) ending with USER_END > node=master type=USER_END msg=audit(1234989001.710:371): user pid=9517 > uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: > session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, > terminal=cron res=success)' > > I want to ignore the crond operations and be able to fill in the > information from gdm-binary. Has any one done this prelude logout > tracking before or have any ideas how I can proceed. > > As always, a pointer to more information is quite acceptable. > > Dan >
Dan, As I myself eventually learned, the hostname/addr info is only for remote access information. The gdm process doesn't get that filled in, nor does crond. As for the logouts being sent to prelude, I preferred that as well but no one (except me) felt that a logout was security-worthy in the context of IDS events IIRC. I wanted them somewhat for the same reason - because then it told a complete story. Also I believe there is a need due to screenlocks - if someone else can login while your screen is locked then there isn't a trace back to when they logged out. I haven't looked at that for a while though; not sure it it is still possible. I myself patch the audisp-prelude.c code so I can catch some application events there and send to prelude as well. LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
