audisp-prelude login question
Steve Grubb
sgrubb at redhat.com
Thu Oct 30 10:34:15 UTC 2008
On Wednesday 29 October 2008 22:28:18 LC Bruzenak wrote:
> If so, what is LOGIN?
This is the record emitted by the kernel to say that the user's loginuid has
changed. This would mean that pam_loginuid was run. But the event is being
sent by the kernel, not pam.
> I guess I can go look at the code and find out...but I guess that one isn't
> being grabbed inside the audisp-prelude handle_event() routine.
Because that is not an event of interest in prelide right now.
> If this is the case either the sending code could be made to match (I
> guess pam isn't doing it the same way in each) or else the
> audisp-prelude could be changed to send this one too?
Nope...somewhere the pam originating events are being eaten. You might strace
an xdm login and look for some sendto's followed immediately by recvfrom's to
the audit socket. If they are missing entirely, then xdm is not calling pam.
If they are there, we'd want to look at the return code to see if its having
an error. Is xdm running as root at the point pam is called? Are there
selinux rules? Are there dontaudit rules eating this?
-Steve
More information about the Linux-audit
mailing list