Results 1 to 4 of 4

Thread: Can't audit logout events from ssh or su in OpenSuSE 11.0

  1. #1

    Default Can't audit logout events from ssh or su in OpenSuSE 11.0

    I am trying to setup auditing for NISPOM requirements using the built-in linux audit kernel which uses auditd and audit.rules for setup. I have been able to meet all other requirements, but I cannot find a way to audit user logout actions. My audit.rules file is listed below. Please help if you have any ideas. Thank you.

    Code:
    #This file contains the a sample audit configuration intended to
    # meet the NISPOM Chapter 8 rules.
    #
    # This file should be saved as /etc/audit/audit.rules.
    #
    # For audit 1.6.5 and higher
    #
    # Remove any existing rules
    # Increase buffer size to handle the increased number of messages.
    # Feel free to increase this if the machine panic's
    -b 8192
    # Set failure mode to panic
    -f 2
    # Audit 1, 1(a) Enough information to determine the date and time of
    # action (e.g., common network time), the system locale of the action,
    # the system entity that initiated or completed the action, the resources
    # involved, and the action involved.
    # Things that could affect time
    -a entry,always -F arch=b32 -S adjtimex -S clock_settime -S settimeofday -k time-change
    -w /etc/localtime -p wa -k time-change
    # Things that could affect system locale
    -a exit,always -F arch=b32 -S sethostname -k system-locale
    -w /etc/issue -p wa -k system-locale
    -w /etc/issue.net -p wa -k system-locale
    -w /etc/hosts -p wa -k system-locale
    -w /etc/sysconfig/network -p wa -k system-locale
    # Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
    # This is covered by patches to login, gdm, and openssh
    # Might also want to watch these files if needing extra information
    -w /var/log/faillog -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
    -w /var/log/btmp -p wa -k logins
    -w /var/run/utmp -p wa -k logins
    -a exit,always -F arch=b32 -S exit -F exit
    # Audit 1, 1(c) Successful and unsuccessful accesses to
    # security-relevant objects and directories, including
    # creation, open, close, modification, and deletion.
    # unsuccessful creation
    -a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F exit=-EACCES -k creation
    -a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-EACCES -k creation
    # unsuccessful open - open and openat may be combined on support arches
    -a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
    -a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
    -a exit,always -F arch=b32 -S openat -F exit=-EACCES -k open
    -a exit,always -F arch=b32 -S openat -F exit=-EPERM -k open
    # unsuccessful close
    -a exit,always -F arch=b32 -S close -F exit=-EACCES -k close
    # unsuccessful modifications - renameat may be combined on supported arches
    -a exit,always -F arch=b32 -S rename -S truncate -S ftruncate -F exit=-EACCES -k mods
    -a exit,always -F arch=b32 -S renameat -F exit=-EACCES -k mods
    -a exit,always -F perm=a -F exit=-EACCES -k mods
    -a exit,always -F perm=a -F exit=-EPERM -k mods
    #: unsuccessful deletion - unlinkat may be combined on supported arches
    -a exit,always -F arch=b32 -S rmdir -S unlink -F exit=-EACCES -k delete
    -a exit,always -F arch=b32 -S unlinkat -F exit=-EACCES -k delete
    # Audit 1, 1(d) Changes in user authenticators.
    # Covered by patches to libpam, passwd, and shadow-utils
    # Might also want to watch these files for changes
    -w /etc/group -p rwxa -k auth
    -w /etc/passwd -p rwxa -k auth
    -w /etc/gshadow -p rwxa -k auth
    -w /etc/shadow -p rwxa -k auth
    -w /etc/security/opasswd -p rwxa -k auth
    # Audit 1, 1(e) The blocking or blacklisting of a user ID,
    # terminal, or access port and the reason for the action.
    # Covered by patches to pam_tally2 and pam_limits
    # Audit 1, 1(f) Denial of access resulting from an excessive
    # number of unsuccessful logon attempts.
    # Covered by patches to pam_tally2
    # Audit 1, 2 Audit Trail Protection. The contents of audit trails
    # shall be protected against unauthorized access, modification,
    # or deletion.
    # This should be covered by file permissions, but we can watch it
    # to see any activity
    -w /var/log/NISP_log -k audit-logs
    # Not specifically required by NISPOM; but common sense items
    # Optional - could indicate someone trying to do something bad or
    # just debugging
    #-a entry,always -F arch=b32 -S ptrace -k paranoid
    # Optional - could be an attempt to bypass audit or simply legacy program
    #-a exit,always -F arch=b32 -S personality -k paranoid
    # Put your own watches after this point
    # -w /your-file -p rwxa -k mykey
    # Make the configuration immutable
    -e 1

  2. #2

    Default Re: Can't audit logout events from ssh or su in OpenSuSE 11.0

    I found that I can access all login and logout times using the "last" command which views /var/log/wtmp messages. I can also save these and bring them up later if necessary for auditing purposes.

  3. #3

    Default Re: Can't audit logout events from ssh or su in OpenSuSE 11.0

    My own patch to /etc/rsyslog.conf for openSUSE 11.2:

    Code:
    --- /etc/rsyslog.conf.orig      2009-10-19 10:46:00.000000000 -0700
    +++ /etc/rsyslog.conf   2010-01-19 11:25:54.000000000 -0800
    @@ -39,10 +39,18 @@
     #
     # print most on tty10 and on the xconsole pipe
     #
    -kern.warning;*.err;authpriv.none        /dev/tty10;RSYSLOG_TraditionalFileFormat
    -kern.warning;*.err;authpriv.none       |/dev/xconsole;RSYSLOG_TraditionalFileFormat
    +kern.warning;*.err      /dev/tty10;RSYSLOG_TraditionalFileFormat
    +kern.warning;*.err     |/dev/xconsole;RSYSLOG_TraditionalFileFormat
     *.emerg                                         *
     
    +# Some standard log files. Log by facility.
    +#
    +auth,authpriv.* /var/log/auth.log;RSYSLOG_TraditionalFileFormat
    +*.*;auth,authpriv.none -/var/log/syslog;RSYSLOG_TraditionalFileFormat
    +daemon.* -/var/log/daemon.log;RSYSLOG_TraditionalFileFormat
    +cron.* /var/log/cron.log;RSYSLOG_TraditionalFileFormat
    +
    +
     # enable this, if you want that root is informed
     # immediately, e.g. of logins
     #*.alert                               root
    SSH acceses will be logged in /var/log/auth.log

  4. #4

    Default Re: Can't audit logout events from ssh or su in OpenSuSE 11.0

    Do you know of any log locations that log su login and logout events? NISPOM requires logging of

    "Successful and unsuccessful logons and logoffs.
    ## This is covered by patches to login, gdm, and openssh"

    I'm not sure what the covered by patches part means exactly because I cannot find logoffs anywhere.

    This quote is taken straight from the nispom.rules audit file which would be saved as audit.rules in /etc/audit/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •