Login/Logouts (UNCLASSIFIED)
Paul Whitney
paul.whitney at mac.com
Wed Feb 28 22:48:54 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
So does that mean this call audit would not work:
- -a exit,possible -w /bin/login -F success=0 -F success!=0
What would be an entry to trap users successfully logging in?
Paul Whitney
Paul.whitney at mac.com
On 2/28/07 4:18 PM, "Valdis.Kletnieks at vt.edu" <Valdis.Kletnieks at vt.edu>
wrote:
> * PGP Signed by an unverified key: 02/28/07 at 16:18:26
> On Wed, 28 Feb 2007 15:31:41 EST, "Mackanick, Jason W CTR DISA GIG-OP"
> said:
>
>> Newbie to the list. I am in position of writing technical
>> implimentation guidance for DISA and I am looking for a method to audit
>> logins/logouts. I have not been able to come up with a syscall that
>> would cover this. Any help would be appreciated.
>
> That's because "login" isn't a single syscall, and a lot of things happen
> during a login - many files get read, programs get run, and so on.
> That's why things like gdm, getty, and ssh are modified to cut a
> non-syscall
> audit record when a user logs in.
> * Valdis Kletnieks <valdis.kletnieks at vt.edu>
> * 0xB4D3D7B0 - Unverified (L)
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBReYGxbdVg+viRqgEAQhLOQgAg5/QLzVIl1raeQdZ7l9nv++wma+fVre9
eo4WifDvQIA07rttrpXkJhYGbDYHKOoWZQzgMfYW77pNJjBgmyopFUmqGMlLoNym
0rF9tT6rdexpgEheqm0yNjL6S2B2iGU3rg+fY3KiLOEy42b0bpfWbExTE21PEB7l
1MS/pZSnbmNSEe0Jg4vH+8iNdMKBdIfr8qWCr4pSFoWr9eOcI0vaCHUWEdmbtynu
wpWlFwCEJ46Mm/YdPC8FRCHzOuLGHjp6GyoFVcc6tHWZ982KSR0l9a9+Q5EBE8vD
nZcfpKB0Xmcp3mtoN/V4ZryCHpuGYgwUzVimcHcqRI9stqecfkjMMw==
=js9E
-----END PGP SIGNATURE-----
More information about the Linux-audit
mailing list