From: "Róbert Nagy" <robert.nagy1@freemail.hu>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Missing login records - Audit functionality in different kernel versions
Date: Thu, 30 May 2019 09:37:23 +0200 (CEST) [thread overview]
Message-ID: <AxkNEg.6xBamOA67vUU.O6mFWVI0mE32fIXmL36@freemail.hu> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1427 bytes --]
Hello all,
I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and USER_LOGIN record types at all, Only USER_LOGIN types.
As I understand these records should be there without any rules set.
https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html
On another server with kernel version 4.9 it works properly. Is there a possibility that this Audit functionality is not implemented in kernel version 3.2, or is this just a configuration issue on my side?
We have too many Debian 3.x production servers to consider kernel upgrade being an option.
If it's a kernel issue, could you please recommend any workaround? Currently I am thinking on parsing the auth.log
Many thanks,
Robert
auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
[-- Attachment #1.2: Type: text/html, Size: 1695 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next reply other threads:[~2019-05-30 7:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-30 7:37 Róbert Nagy [this message]
2019-05-30 12:30 ` Missing login records - Audit functionality in different kernel versions Steve Grubb
2019-05-30 15:11 ` Róbert Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AxkNEg.6xBamOA67vUU.O6mFWVI0mE32fIXmL36@freemail.hu \
--to=robert.nagy1@freemail.hu \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.