USER_LOGIN
Steve Grubb
sgrubb at redhat.com
Mon Jul 19 14:07:05 UTC 2010
On Monday, July 19, 2010 09:33:11 am List Quest wrote:
> - Trying FTP Connect:
>
> Following lines writing to audit.log
> type=USER_AUTH ...
> type=USER_ACCT ...
> (NO USER_LOGIN LINE?)
>
> Wyh this?
No one patched the ftp deamon to send it. The USER_LOGIN event is sent by the
daemon after authentication/authorization completes. This is to distinguish
actual sessions from the pam events you noted which may not actually be
associated with a login (e.g. - crond). Sshd, gdm, kdm, xdm, and login have
all been patched to do this. I'm not entirely sure we considered ftp to be a
shell giving free access to the system and that would be the most likely
reason its not been patched.
-Steve
More information about the Linux-audit
mailing list