12.04 auditd não registrará login de usuário e logoff em audit.log

O Auditd registra somente eventos dos tipos CWD , PATH e SYSCALL . Nunca parece detectar eventos do tipo USER_LOGIN por exemplo. Eu habilitei as regras para capturar esses login/logout eventos, mas eles não parecem ser detectados corretamente por auditd . A execução de aureport --failed ou aureport --success nunca produz nenhum resultado de login ou de autenticação, mesmo que haja várias entradas no faillog . wtmp e btmp arquivos de log. Eu vejo entradas no auth.log , mas estou tentando obter essas entradas em um local consolidado, como sempre consegui fazer com Redhat e SuSe distro. Qualquer ajuda seria muito apreciada.

versões de auditoria, libaudit, libauparse0 e audispd-plugins all: 1: 2.3.2-2ubuntu1

audit.rules (mínimo para testes)

-D

-b 8192
-f 2

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change


-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity


-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale


-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

auditd.conf

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = SYNC
freq = 0
num_logs = 0
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = KEEP_LOGS
space_left = 750
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 500
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
disk_error_action = SYSLOG
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

saída de faillog

Login       Failures Maximum Latest                   On

test            1        0   03/21/15 21:31:10 -0400  /dev/pts/3
test2           2        0   03/21/15 22:42:09 -0400  

/ var / log / authlog (snippet)

Mar 21 20:51:11 U1 login[101526]: FAILED LOGIN (1) on '/dev/pts/3' FOR 'test2', Authentication failure
Mar 21 20:51:13 U1 login[101526]: pam_securetty(login:auth): access denied: tty '/dev/pts/3' is not secure !
Mar 21 20:51:13 U1 login[101526]: pam_tally(login:auth): pam_get_uid; no such user
Mar 21 21:17:01 U1 CRON[109494]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 21 21:17:01 U1 CRON[109494]: pam_unix(cron:session): session closed for user root
Mar 21 21:29:33 U1 login[112465]: pam_tally(login:auth): user test2 (1002) tally 5, deny 3
Mar 21 21:29:42 U1 login[112465]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=test2
Mar 21 21:29:45 U1 login[112465]: FAILED LOGIN (1) on '/dev/pts/3' FOR 'test2', Authentication failure
Mar 21 21:30:37 U1 login[112471]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=test2
Mar 21 21:30:40 U1 login[112471]: FAILED LOGIN (1) on '/dev/pts/3' FOR 'test2', Authentication failure
Mar 21 21:30:54 U1 login[112471]: pam_unix(login:session): session opened for user test2 by root(uid=0)
Mar 21 21:30:54 U1 login[112657]: 'test2' logged in  on '/dev/pts/3'
Mar 21 21:31:14 U1 su[112756]: pam_unix(su:auth): authentication failure; logname=test2 uid=1002 euid=0 tty=/dev/pts/3 ruser=test2 rhost=  user=test
Mar 21 21:31:16 U1 su[112756]: pam_authenticate: Authentication failure
Mar 21 21:31:16 U1 su[112756]: FAILED su for test by test2
Mar 21 21:31:16 U1 su[112756]: - /dev/pts/3 test2:test
Mar 21 21:31:21 U1 login[112471]: pam_unix(login:session): session closed for user test2
Mar 21 22:42:02 U1 login[123946]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=  user=test2
Mar 21 22:42:06 U1 login[123946]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'test2', Authentication failure
Mar 21 22:42:14 U1 login[123946]: FAILED LOGIN (2) on '/dev/pts/2' FOR 'test2', Authentication failure

saída aureport

Failed Summary Report
======================
Range of time in logs: 03/21/2015 20:26:48.495 - 03/21/2015 21:46:21.023
Selected time for report: 03/21/2015 20:26:48 - 03/21/2015 21:46:21.023
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 0
Number of terminals: 0
Number of host names: 0
Number of executables: 0
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 0
Number of events: 0