Authentication Events
Steve Grubb
sgrubb at redhat.com
Wed Jan 14 19:07:15 UTC 2009
On Wednesday 14 January 2009 01:11:02 pm Kevin Boyce wrote:
> Does anyone know if the auditd on RHEL4 is capable of capturing
> logon/logoff and failed authentication events?
The logon/off events should be there as of update 2. But they were improved to
meet NISPOM in Update 3. They are hardwired into pam and you should not have
to do anything except use a version of pam from Update 2 or later.
> Would this just be a configuration change in the PAM stack to allow
> auditd to get these events, rather than using syslog?
No changes are needed unless you want to add pam_tally2.
-Steve
More information about the Linux-audit
mailing list