From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FORGED_YAHOO_RCVD,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9375DC4338F for ; Sat, 7 Aug 2021 04:49:23 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 031C961184 for ; Sat, 7 Aug 2021 04:49:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 031C961184 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=yahoo.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-503-lnbcLiSlPqK5t4jh80iDZQ-1; Sat, 07 Aug 2021 00:49:20 -0400 X-MC-Unique: lnbcLiSlPqK5t4jh80iDZQ-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AFD46180FCAA; Sat, 7 Aug 2021 04:49:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8716F5D6A8; Sat, 7 Aug 2021 04:49:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CEF38180BAB0; Sat, 7 Aug 2021 04:49:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1774m7vZ002668 for ; Sat, 7 Aug 2021 00:48:07 -0400 Received: by smtp.corp.redhat.com (Postfix) id 58F47203573D; Sat, 7 Aug 2021 04:48:07 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 53F2E203663E for ; Sat, 7 Aug 2021 04:48:02 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9134A8CA952 for ; Sat, 7 Aug 2021 04:48:02 +0000 (UTC) Received: from sonic313-10.consmr.mail.ne1.yahoo.com (sonic313-10.consmr.mail.ne1.yahoo.com [66.163.185.33]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-374-9fbDCC2VNM-CYE3iIRj4dA-1; Sat, 07 Aug 2021 00:47:57 -0400 X-MC-Unique: 9fbDCC2VNM-CYE3iIRj4dA-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1628311677; bh=EQ3NjYGUMpoQKsNY3V3H5GsH3OhACuiS245j5CbC7uL=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=DD2OAIu7GoCoQhZteW9mj+I/FHAOTMOuAHRSiFpymOf7YQ58b05V8X6AAP0cGLm03flM/BkNzLtnhBpnxsU3FJZhXGrzQiTqeCRLayYKRBM3s4FERwnwIR9ofrMDTijR3PalrEhDWrae0rMQBJmxGbm8zAgZwoooRq6U/7m0VrbEICqqxycA/PFVU4mFpTBPdGcQNXBECSjJEqEHChR81Tukud5tAch0S+L2a0K+r+shJ2QIHh9aozRygOl+Z5msnyq9dxX7WKo7O98uKg31wjX63PoFu06JurTYSGsw6JjVtgzGSx99cf91y2lQ3w+YghO+wtAFIw+ZVHDcpgIpNw== X-YMail-OSG: U2CiafsVM1kLYd9LcyEXNo0ZoKmKMbAtDGT_026Aup0TuRtHg5tEd02LNheBUbl xld9uuZiw_JN2DiQAukz7i4hqh9GJCY7Jz8ZFQTIvK3XvXWE_NY.oVaZ6HoCOx2sRWH64HN66auL O9pWDuF5l6sslU.zeQbIbwMalZQlozNE29RPRD00cne.OIz0mm0F8Nofrn6olUoGSQw9gjbOh7Bx 2nOd4UkcbdrgLI4F4Zc9d_GHYPQXw_Oagyb6u4EXJKxhhcQnxxU03I6Fk4t1S4N_sBbdR5DuCCnU 5PVl3PPvDl0QcakRtj_VZJuNWGQ3dZmpUky9RIdhcG5_d_IF275un_9TFfuuzNFHapGbR6_rrLnN 4J3J9CtstpsgPYrdRq5DbQketmZSNotyRVLp1LsP0EncNZJHYcBgq0MQZe3fgb0oRON7G0wL1B6L 4077Y5S_NHg7MYmpOo9neDCI1ttCXaN4FnpneifYrUM09ee9qoF2wUxLpZ9j_XQwirCiFp80c1.l lnmcVECfs4HsBjdSlTNaSNOpVBWzGjjGSQ7Z3ao_9mSHLmkxGjraTqGxUITTcoaOhIZymtJlT2hQ UIRHOkxa69IGITLW72K.XEWMeX6q6ofatFNXgydgDDYhfH5j5cn3Ltq8Kq_4W1ySV2D08KZ6ue8U 3SUvIRDcbt0OkZxAmjGbXh_BeNAAl2UTVSYD2jTw6au_R6Fop.OLb0FWaKDtFcFStyoMbSJVmEXE vEgPgm_sGdL6QPQLBH1oAntDPOYmblT.FWTqzm.rNPRvK4CBXk1rEz_GwT6Ch3E03k8LsK7e6e8n 4A7HMXtH3pzrSVp.oEyKcNn_kYWEvfl_BzjvlwzcpMBuqmTmNaNCUTFKV0OKNOHsxSF5AZdJ5.zz oVmC08v_rmvj2rMR9Rb4O_mK31VGKqeO2VVFw90_afTHFL9VYZSmJ2HG5CdpuWG1Fn2ZHfhq2r9S FKHg2rYvrbzuDU8d7GFc_0BhycOzNBXikec1_nn4UDYNonkJ7HweyCF7_Tedrr9voKtSXJD6wmKW a4b60rn87WlGN8fNx5.qphQyPQF7XuJ82VUKHhWehqDuo5dHcxfweLvXfuZVHmRQT5ApoN9Y.5b9 Ux46cXeoDKDusvnpJacXKHnMreG.cyRE4HrxPCjFDiWYzFygWQlef1prb4kusXcYB4j.4U0UXbTZ vAFaMvxJzmOGoZDeYbwu4qFYWkbYCzeh4PkzzS7vZbm61ITA7vByM_mgkdK6Yqn1MqPSWYDGdblN UfJQ6u69Xbnw23HqxVWGqnzKKp3auvSLZ3G3nNrOPsvW823cgqpZA53Gr9QrM8o2Pk0djn7IFjBj B4OY_yXJpMqyx8zMuBXw42vV784JQ6BevD9D_eG8K6igyCIGN5LSLbcgYDmnLDdSuG2DmOW8qN2p XlS.C8f_TbIfgTKh3spgxi7g5wWVhBO64jH4Xg3TeJcl3E1.vU.ZeT173DognjBUk.5Ee8cy_iit KRVY7BkqI7KUGmBPlNe0fF0XsvD.NbTdfsSSJAfVM9KH9wl5oOWgAm.IBmC_1f5bYglp7zae9t4d 6RCNOIibtJqnM68akSO9GOP8tgfDah8ieGn7bKS2ICDlJkEpepkX9UrX9X5jG7dAvwA7MqOfMK5i TMiiPhIS29pPAePR4cYs0UF7Uj3pQncWfVR8MBjEsH7SOwZDD0OTmGGwtIkioMZst36lHnAuG.Tg zWexp8htCBkY5v2DiwWveRLcTeyO_5.QKRE.fnR4fMAkxwlQ1yI_O5lTdkwTf8iq0AzomGuaHC1q FEE0JcWP7kIoXYH.RpVAZavli0o2TpdQHpXdlbLoz2ndbjzxERBtI63gSOISECuj4l50mfK7GEx0 dFPvqoXL1EulatXZS1w7pwyye3_XBW7RKEdpEG79MD12wLzFZ7SLxd8TkznvK5bZUKHno38Ez6yi 52.SXiLzRsyzTroq_0u94GCnC_x_oNksSRGt5Mc5kBWQW6twnsJjA7jXGGcYZCRXWEW0n3y0sdxh ON6S32IZzt_W.zsY6tqHDeoN.EFsFyiEtxTKYKwwqH9WiWH8sVXBW.PtRG9CbuPvGAVvCaMUEbkD YzLiMHA870ebNKwtbHC0EkQ60iFaipV1deqNRSzT3Pxlv6H90S73_5bJGCygkqcROA7608DRCnkN fbcPSb_pKKx8_.gyvdvlsJDnm7FpUslEemfmSkdsPRLF0hHmRHA8QvK06rqK4vSBqzF74Bk2hxpr BKW3VHisNyK9c.l1wS9unkqUJ8WX8W7nLGw3eN0._j99N7BHq9gtPnex4FltUHTWiLAkO4kFg24w Kpuqp3yhlrdme1G0y2VVc7ic8TNjlkK5OafcSAILdbGryRXN5qgjO78zs2DOaZiHHhX32ziUJU.9 rfE4sxWVbOrlmgIoBumgppoLJ7K9Uqo.5nFRG.rqtM7v4bSF0KPaNXYsLUXluourZGOyN33mWKhL 0Bo94xf703ViAWEG2X0ykDkcAh1iDlcJ0vhL3Nln9fFfllUhqSamIiLo0p67nv_XYrZWP0g_36cE Y9rVbDfAoN5Xm_mH9iKBECjTP1FO1ow-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Sat, 7 Aug 2021 04:47:57 +0000 Date: Sat, 7 Aug 2021 04:47:56 +0000 (UTC) From: Rakesh Kumar To: "linux-audit@redhat.com" , Steve Grubb Message-ID: <1380684812.550511.1628311676103@mail.yahoo.com> In-Reply-To: <2108221.irdbgypaU6@x2> References: <94614270.1103019.1625898535256.ref@mail.yahoo.com> <4673895.31r3eYUQgx@x2> <293734062.1021895.1627546756090@mail.yahoo.com> <2108221.irdbgypaU6@x2> Subject: Re: auditd not logging proper log. MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/mixed; boundary="===============7240678907509973350==" --===============7240678907509973350== Content-Type: multipart/alternative; boundary="----=_Part_550510_1218371791.1628311676102" ------=_Part_550510_1218371791.1628311676102 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable =20 Hi Team, 1)I am using this version of auditctl version 2.4.4 . So does this version = has the user login/logout info to log into audit.log ? 2) If u=C2=A0 to want to see the pam.d/login file configuration to check wh= y its not logging the login/logout info then please let me know about this = , i will be happy to share that file.or if it needs other pam file to check= also please let me know that also. As i see in my system that [kauditd] is running so it log all login info. Please help me on this . Regards,Rakesh On Thursday, July 29, 2021, 09:49:03 PM GMT+5:30, Steve G= rubb wrote: =20 =20 On Thursday, July 29, 2021 4:19:16 AM EDT Rakesh Kumar wrote: > I did not get you, in kernel auditd is enabled like kauditd is running th= en > what exactly we have to do changes in my system to get full login n log > out info in audit. Log file.=C2=A0=20 Logging in/out is done in 2 places. First, pam records what it knows. But t= he=20 entry point daemon is also supposed to send USER_LOGIN and USER_LOGOUT=20 events. Complete information is here: https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lif= ecycle-Events Gdm, Kdm, and sshd all have been updated to record these events. All that i= s=20 needed is to configure --with-audit during the package build. By now, I wou= ld=20 expect all distros to do that. -Steve >=C2=A0 On Sat, Jul 10, 2021 at 19:57, Steve Grubb wrote= :=C2=A0 On=20 Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote: > > 1)I am trying to run the auditd (start/stop)=C2=A0 without root user as= normal > > user , how to achieve this on linux.? >=20 > For security reasons, this is not allowed. >=20 > > 2)i am using kernel version 4.19.97 and i am not getting any > > login/logout, > > authentication fail/pass log data in audit.log file. DOes it need any > > changes in the config or rules.. >=20 > This is hardwired into pam. The rules don't matter. I'd check that pam wa= s > compiled with audit support and that audit is enabled in the kernel. >=20 > -Steve ------=_Part_550510_1218371791.1628311676102 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi Team,


1)I am using= this version of auditctl version 2.4.4 . So does this version has the user= login/logout info to log into audit.log ?

2) If u&nb= sp; to want to see the pam.d/login file configuration to check why its not = logging the login/logout info then please let me know about this , i will b= e happy to share that file.or if it needs other pam file to check also plea= se let me know that also.

<= /div>
As i see in my system that [kau= ditd] is running so it log all login info.

Please help me= on this .

Regards,
Rakesh
=20
=20
On Thursday, July 29, 2021, 09:49:03 PM GMT+5:30, Steve= Grubb <sgrubb@redhat.com> wrote:


On Thursday, July 29, 2021 4:19:16 AM= EDT Rakesh Kumar wrote:
> I did not get you, in kerne= l auditd is enabled like kauditd is running then
> wha= t exactly we have to do changes in my system to get full login n log
> out info in audit. Log file. 

Logging in/out is done in 2 places. First, pam records what = it knows. But the
entry point daemon is also supposed to= send USER_LOGIN and USER_LOGOUT
events.

Complete information is here:
https://github.com/li= nux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events

Gdm, Kdm, and sshd all have been updated = to record these events. All that is
needed is to configu= re --with-audit during the package build. By now, I would
expect all distros to do that.

-Stev= e



>  On Sat, Jul 10, 2021 at 19:57, St= eve Grubb<sgrubb@redhat.com> wrote:  On
Saturday, July 10, 2021 2:28:55 AM EDT Rakesh Kumar wrote:> > 1)I am trying to run the auditd (start/stop) = ; without root user as normal
> > user , how to ach= ieve this on linux.?
>
> For sec= urity reasons, this is not allowed.
>
> > 2)i am using kernel version 4.19.97 and i am not getting any> > login/logout,
> > authen= tication fail/pass log data in audit.log file. DOes it need any
> > changes in the config or rules..
> > This is hardwired into pam. The rules don't matter. I= 'd check that pam was
> compiled with audit support an= d that audit is enabled in the kernel.
>
> -Steve


<= br clear=3D"none">
------=_Part_550510_1218371791.1628311676102-- --===============7240678907509973350== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit --===============7240678907509973350==--