[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Login/Logouts (UNCLASSIFIED)

Classification:  UNCLASSIFIED 
Caveats: NONE

I am running the standard auditd delivered with rhel4.  What is the
latest set of rpm's that I should have to see the login functionality?
I am on a non-internet-connected network that I can not use up2date for

Jason Mackanick, CISSP
DISA FSO Supports & Standards Section
Technical Support Team

-----Original Message-----
From: Steve Grubb [mailto:sgrubb redhat com] 
Sent: Wednesday, February 28, 2007 5:54 PM
To: linux-audit redhat com
Cc: Paul Whitney; Valdis Kletnieks vt edu; Mackanick, Jason W CTR DISA
Subject: Re: Login/Logouts (UNCLASSIFIED)

On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
> So does that mean this call audit would not work:
> -a exit,possible -w /bin/login -F success=0 -F success!=0

This would not audit anything for 3 reasons. "possible" tells it to
collect the information in case its needed later. The -F options form an
condition. Both cannot be true at the same time. And "-w" is watches
while "-a" is syscall auditing...you cannot mix the two.

You might try:

-w /bin/login -p x

But that would get you the fact that the file was executed but probably
not the results of execution. (It probably should).

> What would be an entry to trap users successfully logging in?

We've patched the source code to entry points to send specific messages
saying the intent of the pam session.

Classification:  UNCLASSIFIED 
Caveats: NONE

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]