audisp-prelude login question
LC Bruzenak
lenny at magitekltd.com
Thu Oct 30 12:46:57 UTC 2008
On Thu, 2008-10-30 at 06:34 -0400, Steve Grubb wrote:
>
> Nope...somewhere the pam originating events are being eaten. You might strace
> an xdm login and look for some sendto's followed immediately by recvfrom's to
> the audit socket. If they are missing entirely, then xdm is not calling pam.
> If they are there, we'd want to look at the return code to see if its having
> an error. Is xdm running as root at the point pam is called? Are there
> selinux rules? Are there dontaudit rules eating this?
>
I bet you're right. I'll look for this.
I hate it when my own policy foils me...
:)
I appreciate the advice,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list