Login/Logouts (UNCLASSIFIED)
Steve Grubb
sgrubb at redhat.com
Wed Feb 28 22:54:28 UTC 2007
On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
> So does that mean this call audit would not work:
>
> -a exit,possible -w /bin/login -F success=0 -F success!=0
This would not audit anything for 3 reasons. "possible" tells it to collect
the information in case its needed later. The -F options form an "and"
condition. Both cannot be true at the same time. And "-w" is watches
while "-a" is syscall auditing...you cannot mix the two.
You might try:
-w /bin/login -p x
But that would get you the fact that the file was executed but probably not
the results of execution. (It probably should).
> What would be an entry to trap users successfully logging in?
We've patched the source code to entry points to send specific messages saying
the intent of the pam session.
-Steve
More information about the Linux-audit
mailing list