All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: auditd not logging proper log.
       [not found] ` <94614270.1103019.1625898535256@mail.yahoo.com>
@ 2021-07-10 14:27   ` Steve Grubb
       [not found]     ` <293734062.1021895.1627546756090@mail.yahoo.com>
  0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2021-07-10 14:27 UTC (permalink / raw)
  To: linux-audit

On Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
> 1)I am trying to run the auditd (start/stop)  without root user as normal
> user , how to achieve this on linux.?

For security reasons, this is not allowed.

> 2)i am using kernel version 4.19.97 and i am not getting any login/logout,
> authentication fail/pass log data in audit.log file. DOes it need any
> changes in the config or rules..

This is hardwired into pam. The rules don't matter. I'd check that pam was 
compiled with audit support and that audit is enabled in the kernel.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: auditd not logging proper log.
       [not found]     ` <293734062.1021895.1627546756090@mail.yahoo.com>
@ 2021-07-29 16:18       ` Steve Grubb
  2021-08-07  4:47         ` Rakesh Kumar
  0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2021-07-29 16:18 UTC (permalink / raw)
  To: linux-audit, Rakesh Kumar

On Thursday, July 29, 2021 4:19:16 AM EDT Rakesh Kumar wrote:
> I did not get you, in kernel auditd is enabled like kauditd is running then
> what exactly we have to do changes in my system to get full login n log
> out info in audit. Log file.  

Logging in/out is done in 2 places. First, pam records what it knows. But the 
entry point daemon is also supposed to send USER_LOGIN and USER_LOGOUT 
events.

Complete information is here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events

Gdm, Kdm, and sshd all have been updated to record these events. All that is 
needed is to configure --with-audit during the package build. By now, I would 
expect all distros to do that.

-Steve


>   On Sat, Jul 10, 2021 at 19:57, Steve Grubb<sgrubb@redhat.com> wrote:   On 
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
> > 1)I am trying to run the auditd (start/stop)  without root user as normal
> > user , how to achieve this on linux.?
> 
> For security reasons, this is not allowed.
> 
> > 2)i am using kernel version 4.19.97 and i am not getting any
> > login/logout,
> > authentication fail/pass log data in audit.log file. DOes it need any
> > changes in the config or rules..
> 
> This is hardwired into pam. The rules don't matter. I'd check that pam was
> compiled with audit support and that audit is enabled in the kernel.
> 
> -Steve




--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: auditd not logging proper log.
  2021-07-29 16:18       ` Steve Grubb
@ 2021-08-07  4:47         ` Rakesh Kumar
  2021-08-08 13:42           ` Steve Grubb
  0 siblings, 1 reply; 5+ messages in thread
From: Rakesh Kumar @ 2021-08-07  4:47 UTC (permalink / raw)
  To: linux-audit, Steve Grubb


[-- Attachment #1.1: Type: text/plain, Size: 2060 bytes --]

 
Hi Team,

1)I am using this version of auditctl version 2.4.4 . So does this version has the user login/logout info to log into audit.log ?

2) If u  to want to see the pam.d/login file configuration to check why its not logging the login/logout info then please let me know about this , i will be happy to share that file.or if it needs other pam file to check also please let me know that also.
As i see in my system that [kauditd] is running so it log all login info.
Please help me on this .
Regards,Rakesh    On Thursday, July 29, 2021, 09:49:03 PM GMT+5:30, Steve Grubb <sgrubb@redhat.com> wrote:  
 
 On Thursday, July 29, 2021 4:19:16 AM EDT Rakesh Kumar wrote:
> I did not get you, in kernel auditd is enabled like kauditd is running then
> what exactly we have to do changes in my system to get full login n log
> out info in audit. Log file.  

Logging in/out is done in 2 places. First, pam records what it knows. But the 
entry point daemon is also supposed to send USER_LOGIN and USER_LOGOUT 
events.

Complete information is here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events

Gdm, Kdm, and sshd all have been updated to record these events. All that is 
needed is to configure --with-audit during the package build. By now, I would 
expect all distros to do that.

-Steve


>  On Sat, Jul 10, 2021 at 19:57, Steve Grubb<sgrubb@redhat.com> wrote:  On 
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:
> > 1)I am trying to run the auditd (start/stop)  without root user as normal
> > user , how to achieve this on linux.?
> 
> For security reasons, this is not allowed.
> 
> > 2)i am using kernel version 4.19.97 and i am not getting any
> > login/logout,
> > authentication fail/pass log data in audit.log file. DOes it need any
> > changes in the config or rules..
> 
> This is hardwired into pam. The rules don't matter. I'd check that pam was
> compiled with audit support and that audit is enabled in the kernel.
> 
> -Steve




  

[-- Attachment #1.2: Type: text/html, Size: 4185 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: auditd not logging proper log.
  2021-08-07  4:47         ` Rakesh Kumar
@ 2021-08-08 13:42           ` Steve Grubb
       [not found]             ` <758905872.811310.1628444880085@mail.yahoo.com>
  0 siblings, 1 reply; 5+ messages in thread
From: Steve Grubb @ 2021-08-08 13:42 UTC (permalink / raw)
  To: linux-audit, Rakesh Kumar

On Saturday, August 7, 2021 12:47:56 AM EDT Rakesh Kumar wrote:
> 1)I am using this version of auditctl version 2.4.4 . So does this version
> has the user login/logout info to log into audit.log ?

This is not the responsibility of auditd. Auditd provides libaudit. 
Applications use that to create log events. It is the reposibility of system 
entry point daemons to log the event. User login events have been supported 
as long as I can remember.

> 2) If u  to want to see the pam.d/login file configuration to check why its
> not logging the login/logout info then please let me know about this,

It's not configurable by an end user. Its configured at compile time. You would 
want to look at the build logs for pam and entrypoint daemons such as sshd, 
gdm, kdm, etc.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: auditd not logging proper log.
       [not found]             ` <758905872.811310.1628444880085@mail.yahoo.com>
@ 2021-08-09  3:19               ` Steve Grubb
  0 siblings, 0 replies; 5+ messages in thread
From: Steve Grubb @ 2021-08-09  3:19 UTC (permalink / raw)
  To: Rakesh Kumar; +Cc: linux-audit

On Sunday, August 8, 2021 1:48:00 PM EDT you wrote:
> The user login/logout information is being logged into auth.log file but
> not being logged into audit.log .it means that sshd, pam configuration is
> working for auth.log file then why its not working for audit.log, so where
> could be the problem, for this not being logged into audit.log file .
> Where should i investigate.?

As I said, the build logs. Listen, do not keep sending emails saying this is 
not working please help. I have no idea what distribution you are using or if 
you have even contacted them. If you are using a distribution, please contact 
them.

You point to syslog and ask why audit is not working. Audit doesn't send to 
syslog, it sends to auditd unless auditd is not running. Is it?

Audit is working for all distributions I know of. If it's not working for 
you, it is incumbent on you to explain what your system is using and how 
you've checked it. Try ldd for example to see if pam is actually linked 
aginst libaudit.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-08-09  3:20 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <94614270.1103019.1625898535256.ref@mail.yahoo.com>
     [not found] ` <94614270.1103019.1625898535256@mail.yahoo.com>
2021-07-10 14:27   ` auditd not logging proper log Steve Grubb
     [not found]     ` <293734062.1021895.1627546756090@mail.yahoo.com>
2021-07-29 16:18       ` Steve Grubb
2021-08-07  4:47         ` Rakesh Kumar
2021-08-08 13:42           ` Steve Grubb
     [not found]             ` <758905872.811310.1628444880085@mail.yahoo.com>
2021-08-09  3:19               ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.