[PATCH] support using pam_audit.so in "account" stack
Klaus Weidner
klaus at atsec.com
Tue Feb 22 00:47:38 UTC 2005
On Mon, Feb 21, 2005 at 02:44:10PM -0800, Casey Schaufler wrote:
> --- Klaus Weidner <klaus at atsec.com> wrote:
> > I'm not aware of an explicit CAPP requirement for
> > logout messages, so I'd
> > consider that to be a "nice to have" feature.
>
> You need a logout message. Really.
Can you point to a specific requirement in CAPP related to that?
Note that even if you have logout records, they are not a reliable
indication that the session is complete, there may be background
processes launched by the user that keep running (and potentially
generating audit events) after the logout message. If you need that kind
of information and you aren't satisfied with the login UID, you need to
trace all fork/exec/exit events for the session.
-Klaus
More information about the Linux-audit
mailing list