On Thu, 2009-02-19 at 09:36 -0500, Steve Grubb wrote: > On Thursday 19 February 2009 09:26:28 am Dan Gruhn wrote: > > Although this seemed like the right place to look, I don't see > > USER_LOGOUT events in my audit logs, > > They are not used. I decided later that it was not needed for analysis. When > you login, there is always a session open event (user_start). This is > associated with a user_login event. So, when you see the session closed event > (user_end), the logout has occurred.
So for IDS events we have only console logins, not logouts, and no ssh events? > > However...what if gdm dies? What if the kernel oopses? You have no ending > marker. So, what I did recently was patch upstart so that it logs system boot > & shutdown events. This way you can tell when the system malfunctioned. The > logic for the analysis is in the aulast program, which is in 1.7.11. However, > you don't have a patched upstart daemon for RHEL5 since it uses the older > SysVinit package. If gdm dies I thought it would throw an anomaly event. Don't the kernel oopses do the same thing? I have seen neither of these two events in the last several months (thankfully). But I've seen many a login... > > One thing to note, preikka/prelude is an IDS system. Not all audit events are > IDS events. Only a handful really qualify as Intrusion Detection worthy. So, > you really can't use prewikka as an audit log browser. Agreed. It is (at least in my CONOPS) an early warning system. But the people who are watching prelude events will not go digging through audit data unless an alert triggers it. That or a security breach needing investigation. Possibly fast login/logout pairs matter. Also at some sites a logout each day is required by policy and a prelude check over the LAN with a clicky-click interface is easy. An ssh in from a windows machine by an occasional user, who doesn't remember the command or know a forward slash from a backslash, to run a command is unlikely to be a hit. Since the audit-viewer is not network-capable, we need more info in the prelude listings. As I've said before, if logouts are not IDS events why are logins? Personally I'd prefer both. I will probably patch my audisp to include them. The time taken to do that would be less than answering the "Why are there no matching logouts?" for each site at which we field...especially since I don't have a good answer. Although I personally hold Steve in high regard, "Because Steve says so" probably won't fly that great. :) Dan, as Steve says, aulast provides the analysis. However, either I read it wrong or it ignores root: [r...@audit ~]# aulast issm tty1 ? Tue Feb 17 05:35 gone - no logout issm tty1 ? Tue Feb 17 05:55 gone - no logout issm tty1 ? Tue Feb 17 06:22 gone - no logout issm tty1 ? Wed Feb 18 10:16 - 17:19 (07:02) issm pts/1 192.168.31.40 Thu Feb 19 02:36 - 02:36 (00:00) [r...@audit ~]# who root pts/0 2009-02-19 02:36 (192.168.31.40) Also aureport has good metrics you can maybe put to use. At some point I'd like to see the audit-viewer be made network-capable (preferably the info be browser-accessed) and include these tools visually. LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
