USER_LOGIN
List Quest
listquest at gmail.com
Tue Jul 20 11:58:35 UTC 2010
Hi,
Thank you very much.
On Mon, Jul 19, 2010 at 5:07 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, July 19, 2010 09:33:11 am List Quest wrote:
> > - Trying FTP Connect:
> >
> > Following lines writing to audit.log
> > type=USER_AUTH ...
> > type=USER_ACCT ...
> > (NO USER_LOGIN LINE?)
> >
> > Wyh this?
>
> No one patched the ftp deamon to send it. The USER_LOGIN event is sent by
> the
> daemon after authentication/authorization completes. This is to distinguish
> actual sessions from the pam events you noted which may not actually be
> associated with a login (e.g. - crond). Sshd, gdm, kdm, xdm, and login have
> all been patched to do this. I'm not entirely sure we considered ftp to be
> a
> shell giving free access to the system and that would be the most likely
> reason its not been patched.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20100720/d05e77fc/attachment.htm>
More information about the Linux-audit
mailing list