[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: openssh logout not being audited on fc5



Ahh simple pam.d scenario

justin P. Mattock



On Nov 5, 2008, at 3:10 PM, Tomas Mraz <tmraz redhat com> wrote:

On Wed, 2008-11-05 at 15:03 -0800, Justin Mattock wrote:
On Wed, Nov 5, 2008 at 3:00 PM, Tomas Mraz <tmraz redhat com> wrote:
On Wed, 2008-11-05 at 15:20 -0500, Wieprecht, Karen M. wrote:
All,
been google-ing all day, so sorry if this info is common knowledge,
but I can't seem to find it.

Trying to build FC5 (2.6.20-1.2320-fc5)  system to meet a sponsor
requirement (miserable task that it is), and I have to make this
system be NISPOM compliant. Unfortunately, ssh logout isn't showing up in my audit logs, and although I have an idea why, I can't seem to
find what I think I need ...  The system I am building has the
following:

OS                    = FC5
audit subsystem = 1.3-2
openssh             = 4.3p2-4.12
kernel                 = 2.6.20-1.2320-fc5

My RHEL4 systems capture ssh logout just fine , and  they are at
earlier versions of both openssh and the audit subsystem... I found a note from a colleague about needing openssh >= 4.3p2-4.13 to fix the ssh logout problem for (I think) SuSe 10.1, so I thought I'd try and
find a later version of open ssh or at least a src.rpm to build a
newer version for fc5 , but I didn't have much luck. Found a 4.3p2-16 src.rpm for el5, but of course, that didn't build properly on my fc5
system .

Anyone know if I'm chasing my tail?  maybe something else will fix
this for FC5 (newer audit pkg? )? Recommendations would be most
appreciated.   If you all think I DO need a newer openssh version,
anyone know where I can get a src.rpm for fc5 later than 4.3p2-4.12?

You could try to add the relevant patch from the RHEL 5 openssh src.rpm to the FC5 package. But is it really good idea to use such old package at all? There are unfixed CVEs and so on. Of course this applies to the
rest of the FC5 distribution as well.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                            Turkish proverb

--
Linux-audit mailing list
Linux-audit redhat com
https://www.redhat.com/mailman/listinfo/linux-audit


out of curiosity would this have something
to do with the audit=1 option as a boot param?

Nope. The old (or unpatched) openssh just called pam_close_session()
incorrectly.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                             Turkish proverb



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]