Login/Logouts (UNCLASSIFIED)
Steve Grubb
sgrubb at redhat.com
Wed Feb 28 21:13:38 UTC 2007
On Wednesday 28 February 2007 15:31, Mackanick, Jason W CTR DISA GIG-OP wrote:
> I am in position of writing technical implimentation guidance for DISA and I
> am looking for a method to audit logins/logouts.
We've patched login, gdm, and openssh to send a USER_LOGIN message to denote
this event.
time->Wed Feb 28 08:12:01 2007
type=USER_LOGIN msg=audit(1172668321.325:113): user pid=2424 uid=0 auid=525
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=525:
exe="/usr/sbin/gdm-binary" (hostname=discovery, addr=192.168.1.2, terminal=:0
res=success)'
> I have not been able to come up with a syscall that would cover this. Any
> help would be appreciated.
Its actually a whole series of events that allows a login. Thesequence is:
LOGIN, USER_AUTH, USER_START, USER_ACCT, USER_START, CRED_REFR or CRED_ACQ ,
and then USER_LOGIN. Cron and some other daemons that are pamified can create
most of these events as they run. This is why we send a specific event from
the app. Aureport looks for USER_LOGIN messages for its login accounting.
[root]# aureport --start today
Summary Report
======================
Range of time in logs: 10/29/2006 13:11:33.731 - 02/28/2007 16:05:52.479
Selected time for report: 02/28/2007 00:00:01 - 02/28/2007 16:05:52.479
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 1
Number of failed logins: 0
Number of authentications: 2
Number of failed authentications: 1
Number of users: 1
Number of terminals: 4
Number of host names: 2
Number of executables: 2
Number of files: 1
Number of AVC denials: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 4
Number of events: 13
If you want more detail, run the login report:
[root]# aureport --start today --login -i
Login Report
============================================
# date time auid host term exe success event
============================================
1. 02/28/2007 16:05:38 steve nat.redhat.com /dev/pts/0 /usr/sbin/sshd yes 81
Hope this helps.
-Steve
More information about the Linux-audit
mailing list