aulast only displaying reboot pseudo-users

Laurent Bigonville bigon at debian.org
Thu Jun 5 17:34:04 UTC 2014 

Le Wed, 04 Jun 2014 19:04:52 -0400,
Steve Grubb <sgrubb at redhat.com> a écrit :

> On Thursday, June 05, 2014 12:42:39 AM Laurent Bigonville wrote:
> > Le Wed, 04 Jun 2014 18:23:29 -0400,
> > 
> > Steve Grubb <sgrubb at redhat.com> a écrit :
> > > On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote:
> > > > On my machine with audit 2.3.6 the following call to aulast is
> > > > only displaying the "reboot" pseudo-users and not the actual
> > > > logins:
> > > > 
> > > > ausearch --start this-month --raw | aulast --stdin
> > > > 
> > > > Passing the "--bad" option to aulast, seems to correctly return
> > > > the failed login attempt.
> > > > 
> > > > Also, adding the login name to the aulast command doesn't seems
> > > > to work at all even with the --bad option.
> > > > 
> > > > OTOH, the aulastlog command seems to work as expected.
> > > > 
> > > > An idea?
> > >  
> > >  Would this happen to be a system with a recent GDM and systemd?
> > > If
> > > 
> > > so, they are known to be messing up the audit trail. I am trying
> > > to write a system validation test suite to spot issues like this.
> > > If you look at gdm, its sending duplicate events. Systemd events
> > > don't make it to audit all the time. Its a mess on the desktop
> > > right now.
> > 
> > Yes indeed I'm running gdm 3.12 and systemd 208.
> > 
> > But I'm not seeing anything in aulast output when I'm login in on a
> > tty.
> > 
> > ausearch is however giving me this:
> > 
> > bigon at fornost:~$ sudo ausearch -m ALL -ts 00:35|grep test
> > type=USER_AUTH msg=audit(1401921359.577:1394): pid=15760 uid=0
> > auid=4294967295 ses=4294967295
> > subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> > msg='op=PAM:authentication acct="test" exe="/bin/login" hostname=?
> > addr=? terminal=/dev/tty1 res=success' 
> > type=USER_ACCT msg=audit(1401921359.577:1395): pid=15760 uid=0
> > auid=4294967295 ses=4294967295
> > subj=system_u:system_r:local_login_t:s0- s0:c0.c1023
> > msg='op=PAM:accounting acct="test" exe="/bin/login" hostname=?
> > addr=?> terminal=/dev/tty1 res=success'
> 
> You are missing a type=LOGIN event right here. If you do a "cat 
> /proc/self/loginuid" and its set to something besides -1, we have a
> kernel bug.
> 


Actually, my grepping was wrong, I'm seeing this the following line too:

type=LOGIN msg=audit(1401921359.597:1397): pid=15760 uid=0 old-auid=4294967295 new-auid=1002 old-ses=4294967295 new-ses=66 res=1

More information about the Linux-audit mailing list