All of lore.kernel.org
 help / color / mirror / Atom feed
* Missing login records - Audit functionality in different kernel versions
@ 2019-05-30  7:37 Róbert Nagy
  2019-05-30 12:30 ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Róbert Nagy @ 2019-05-30  7:37 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1427 bytes --]

Hello all,

I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and USER_LOGIN record types at all, Only USER_LOGIN types.

As I understand these records should be there without any rules set.
https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html

On another server with kernel version 4.9 it works properly. Is there a possibility that this Audit functionality is not implemented in kernel version 3.2, or is this just a configuration issue on my side?

We have too many Debian 3.x production servers to consider kernel upgrade being an option.

If it's a kernel issue, could you please recommend any workaround? Currently I am thinking on parsing the auth.log

Many thanks,
Robert

auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

[-- Attachment #1.2: Type: text/html, Size: 1695 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Missing login records - Audit functionality in different kernel versions
  2019-05-30  7:37 Missing login records - Audit functionality in different kernel versions Róbert Nagy
@ 2019-05-30 12:30 ` Steve Grubb
  2019-05-30 15:11   ` Róbert Nagy
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2019-05-30 12:30 UTC (permalink / raw)
  To: linux-audit

Hello,

On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote:
> I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the
> audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and
> USER_LOGIN record types at all, Only USER_LOGIN types.
> 
> As I understand these records should be there without any rules set.
> https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html

Yes. These are sent by pam. So, the question would be, is your copy of pam 
compiled with audit support?

ldd /usr/lib64/libpam_misc.so | grep libaudit
	libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f06c2c39000)


> On another server with kernel version 4.9 it works properly. Is there a
> possibility that this Audit functionality is not implemented in kernel
> version 3.2, or is this just a configuration issue on my side?

This should be pam.

-Steve
 
> We have too many Debian 3.x production servers to consider kernel upgrade
> being an option.
> 
> If it's a kernel issue, could you please recommend any workaround?
> Currently I am thinking on parsing the auth.log
> 
> Many thanks,
> Robert
> 
> auditd.conf:
> log_file = /var/log/audit/audit.log
> log_format = RAW
> log_group = root
> priority_boost = 4
> flush = INCREMENTAL
> freq = 20
> num_logs = 4
> disp_qos = lossy
> dispatcher = /sbin/audispd
> name_format = NONE
> ##name = mydomain
> max_log_file = 5
> max_log_file_action = ROTATE
> space_left = 75
> space_left_action = SYSLOG
> action_mail_acct = root
> admin_space_left = 50
> admin_space_left_action = SUSPEND
> disk_full_action = SUSPEND
> disk_error_action = SUSPEND
> ##tcp_listen_port =
> tcp_listen_queue = 5
> tcp_max_per_addr = 1
> ##tcp_client_ports = 1024-65535
> tcp_client_max_idle = 0
> enable_krb5 = no
> krb5_principal = auditd
> ##krb5_key_file = /etc/audit/audit.key

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Missing login records - Audit functionality in different kernel versions
  2019-05-30 12:30 ` Steve Grubb
@ 2019-05-30 15:11   ` Róbert Nagy
  0 siblings, 0 replies; 3+ messages in thread
From: Róbert Nagy @ 2019-05-30 15:11 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 2280 bytes --]

Steve, thank you for your quick response!
Indeed, that's the problem. My copy of PAM is not compiled with audit support.
Many thanks, again,
Robert
 

-------- Eredeti levél --------

Feladó: Steve Grubb <sgrubb@redhat.com>
Dátum: 2019 május 30 14:31:19
Tárgy: Re: Missing login records - Audit functionality in different kernel versions
Címzett: linux-audit@redhat.com

Hello,

On Thursday, May 30, 2019 3:37:23 AM EDT Róbert Nagy wrote:
> I tested Audit on a Debian 7 (kernel version 3.2.0-5-amd64), but in the
> audit.log I get no USER_AUTH, USER_ACCT, CRED_ACQ, USER_START and
> USER_LOGIN record types at all, Only USER_LOGIN types.
>
> As I understand these records should be there without any rules set.
> https://www.redhat.com/archives/linux-audit/2017-July/msg00046.html

Yes. These are sent by pam. So, the question would be, is your copy of pam
compiled with audit support?

ldd /usr/lib64/libpam_misc.so | grep libaudit
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f06c2c39000)


> On another server with kernel version 4.9 it works properly. Is there a
> possibility that this Audit functionality is not implemented in kernel
> version 3.2, or is this just a configuration issue on my side?

This should be pam.

-Steve

> We have too many Debian 3.x production servers to consider kernel upgrade
> being an option.
>
> If it's a kernel issue, could you please recommend any workaround?
> Currently I am thinking on parsing the auth.log
>
> Many thanks,
> Robert
>
> auditd.conf:
> log_file = /var/log/audit/audit.log
> log_format = RAW
> log_group = root
> priority_boost = 4
> flush = INCREMENTAL
> freq = 20
> num_logs = 4
> disp_qos = lossy
> dispatcher = /sbin/audispd
> name_format = NONE
> ##name = mydomain
> max_log_file = 5
> max_log_file_action = ROTATE
> space_left = 75
> space_left_action = SYSLOG
> action_mail_acct = root
> admin_space_left = 50
> admin_space_left_action = SUSPEND
> disk_full_action = SUSPEND
> disk_error_action = SUSPEND
> ##tcp_listen_port =
> tcp_listen_queue = 5
> tcp_max_per_addr = 1
> ##tcp_client_ports = 1024-65535
> tcp_client_max_idle = 0
> enable_krb5 = no
> krb5_principal = auditd
> ##krb5_key_file = /etc/audit/audit.key



 

[-- Attachment #1.2: Type: text/html, Size: 3096 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-05-30 15:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-30  7:37 Missing login records - Audit functionality in different kernel versions Róbert Nagy
2019-05-30 12:30 ` Steve Grubb
2019-05-30 15:11   ` Róbert Nagy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.