Login/Logouts (UNCLASSIFIED)
Mackanick, Jason W CTR DISA GIG-OP
jason.mackanick.ctr at disa.mil
Thu Mar 1 13:41:25 UTC 2007
Classification: UNCLASSIFIED
Caveats: NONE
I am running the standard auditd delivered with rhel4. What is the
latest set of rpm's that I should have to see the login functionality?
I am on a non-internet-connected network that I can not use up2date for
packages.
Jason Mackanick, CISSP
DISA FSO Supports & Standards Section
Technical Support Team
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Wednesday, February 28, 2007 5:54 PM
To: linux-audit at redhat.com
Cc: Paul Whitney; Valdis.Kletnieks at vt.edu; Mackanick, Jason W CTR DISA
GIG-OP
Subject: Re: Login/Logouts (UNCLASSIFIED)
On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
> So does that mean this call audit would not work:
>
> -a exit,possible -w /bin/login -F success=0 -F success!=0
This would not audit anything for 3 reasons. "possible" tells it to
collect the information in case its needed later. The -F options form an
"and"
condition. Both cannot be true at the same time. And "-w" is watches
while "-a" is syscall auditing...you cannot mix the two.
You might try:
-w /bin/login -p x
But that would get you the fact that the file was executed but probably
not the results of execution. (It probably should).
> What would be an entry to trap users successfully logging in?
We've patched the source code to entry points to send specific messages
saying the intent of the pam session.
-Steve
Classification: UNCLASSIFIED
Caveats: NONE
More information about the Linux-audit
mailing list