support using pam_audit.so in "account" stack
Leigh Purdie
Leigh.Purdie at intersectalliance.com
Tue Feb 22 22:59:28 UTC 2005
On Tue, 2005-02-22 at 11:00 -0600, Klaus Weidner wrote:
> On Tue, Feb 22, 2005 at 04:25:35PM +1100, Leigh Purdie wrote:
> > I'd also recommend including logout information - regardless of the fact
> > that non-interactive access may still continue (eg:
> > nohup /path/to/blah), it is pretty important for some organisations to
> > be able to determine a users interactive login and logout times.
>
> Don't misunderstand me - I'm not opposed to logout information and agree
> that it can be helpful, but it's not required for CAPP compliance and is
> misleading information if the users get moderately creative.
>
> For some applications such as vsftpd the application code would need to
> be changed to get a logout record - it pretty much requires that there is
> a privileged process that monitors the session, and not all services are
> structured that way
True enough. I stuck login/logout auditing in the 'too hard' basket in
Snare for a fair while, for this (and other) reasons myself. However, If
I printed out the number of requests I'd received for login/logout data
in Snare, I'd be swimming in a paper storm at the moment. ;)
My suggestion is 'build it, and they will come'. Up until recently, SSH
on solaris didn't generate a login/logout message either, but the code
has been modified due to many customer requests. Cover the core feature
set that most people are interested in (interactive login/logout), and
other applications such as vsftp/ssh etc, can be integrated on a
priority basis later on down the track.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
More information about the Linux-audit
mailing list