openssh logout not being audited on fc5

Justin Mattock justinmattock at gmail.com
Wed Nov 5 23:03:51 UTC 2008 

On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <tmraz at redhat.com> wrote:
> On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote:
>> All,
>> been google-ing all day, so sorry if this info is common knowledge,
>> but I can't seem to find it.
>>
>> Trying to build FC5 (2.6.20-1.2320-fc5)  system to meet a sponsor
>> requirement (miserable task that it is), and I have to make this
>> system be NISPOM compliant.   Unfortunately, ssh logout isn't showing
>> up in my audit logs, and although I have an idea why, I can't seem to
>> find what I think I need ...  The system I am building has the
>> following:
>>
>> OS                    = FC5
>> audit subsystem = 1.3-2
>> openssh             = 4.3p2-4.12
>> kernel                 = 2.6.20-1.2320-fc5
>>
>> My RHEL4 systems capture ssh logout just fine , and  they are at
>> earlier versions of both openssh and the audit subsystem...   I found
>> a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the
>> ssh logout  problem for (I think) SuSe 10.1, so I thought I'd try and
>> find a later version of open ssh or at least a src.rpm to build a
>> newer version for fc5 ,  but I didn't have much luck. Found a 4.3p2-16
>> src.rpm for el5, but of course, that didn't build properly on my fc5
>> system .
>>
>> Anyone know if I'm chasing my tail?  maybe something else will fix
>> this for FC5 (newer audit pkg? )?   Recommendations would be most
>> appreciated.   If you all think I DO need a newer openssh version,
>> anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12?
>
> You could try to add the relevant patch from the RHEL 5 openssh src.rpm
> to the FC5 package. But is it really good idea to use such old package
> at all? There are unfixed CVEs and so on. Of course this applies to the
> rest of the FC5 distribution as well.
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
>                                              Turkish proverb
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

out of curiosity would this have something
to do with the audit=1 option as a boot param?

-- 
Justin P. Mattock

More information about the Linux-audit mailing list