audit 1.0.7 released
Steve Grubb
sgrubb at redhat.com
Thu Oct 20 14:58:40 UTC 2005
On Thursday 20 October 2005 10:42, Rob Myers wrote:
> is the login summary support supposed to be functional yet?
Yes...but...what I did was instrument login and gdm with a new message type
that sends the login information. These are already in rawhide. These patches
will be carried over to RHEL4 for U3. I will also be patching sshd. A new
message type was used because its hard to tell that the intent of a session
open is because of a login.
This is what it looks like:
Login Summary Report
=======================================
# auid host term exe success date event
=======================================
1. 0 ? tty1 /bin/login yes 10/20/05 64
2. 0 ? tty1 /bin/login yes 10/20/05 63
3. 4325 localhost :0 /usr/sbin/gdm-binary yes 10/20/05 75
> i don't really like the newline that ctime adds on the event reports.
> this patch seems to take care of it, but perhaps there is a better way.
This line has already changed since last night. Its:
tv = localtime(&l->e.sec);
strftime(date, sizeof(date), "%x %X", tv);
printf("%u. %lu %s %s %s\n", line_item,
l->e.serial,
audit_msg_type_to_name(l->head->type),
aulookup_uid(l->s.loginuid, name, sizeof(name)), date);
So, that should produce lines like this:
Event Summary Report
===========================
# event type auid date time
===========================
1. 97 USER_AUTH 4325 10/20/05 10:54:28
2. 98 USER_ACCT 4325 10/20/05 10:54:28
3. 99 USER_START 4325 10/20/05 10:54:28
4. 100 CRED_ACQ 4325 10/20/05 10:54:28
5. 101 AVC -1 10/20/05 10:54:59
Thanks for the feedback.
-Steve
More information about the Linux-audit
mailing list