[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Login/Logouts (UNCLASSIFIED)



Classification:  UNCLASSIFIED 
Caveats: NONE

I am running the standard auditd delivered with rhel4.  What is the
latest set of rpm's that I should have to see the login functionality?
I am on a non-internet-connected network that I can not use up2date for
packages. 


Jason Mackanick, CISSP
DISA FSO Supports & Standards Section
Technical Support Team

-----Original Message-----
From: Steve Grubb [mailto:sgrubb redhat com] 
Sent: Wednesday, February 28, 2007 5:54 PM
To: linux-audit redhat com
Cc: Paul Whitney; Valdis Kletnieks vt edu; Mackanick, Jason W CTR DISA
GIG-OP
Subject: Re: Login/Logouts (UNCLASSIFIED)

On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
> So does that mean this call audit would not work:
>
> -a exit,possible -w /bin/login -F success=0 -F success!=0

This would not audit anything for 3 reasons. "possible" tells it to
collect the information in case its needed later. The -F options form an
"and" 
condition. Both cannot be true at the same time. And "-w" is watches
while "-a" is syscall auditing...you cannot mix the two.

You might try:

-w /bin/login -p x

But that would get you the fact that the file was executed but probably
not the results of execution. (It probably should).

> What would be an entry to trap users successfully logging in?

We've patched the source code to entry points to send specific messages
saying the intent of the pam session.

-Steve
Classification:  UNCLASSIFIED 
Caveats: NONE



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]