How to capture a login event?

Steve Grubb sgrubb at redhat.com
Wed Nov 7 20:53:03 UTC 2007


On Wednesday 07 November 2007 15:35:00 Zachary Shay wrote:
> I'm trying to detect when logins (successful) and login attempts
> (unsuccessful) occur using the auditing subsystem.

This is done automatically for you as long as the audit system is enabled. 
Changing the loginuid generates this record:

type=LOGIN msg=audit(1194465501.865:7462): login pid=9651 uid=0 old 
auid=4294967295 new auid=500

But just because a loginuid (auid) was changed does not mean that a login 
occurred. For example, cron sets the auid when it runs a script on behalf of 
a user. In that case, no one logged in.

To distinguish actual logins from other loginuid changes, the entry point 
daemons have been modified to send a USER_LOGIN event right after the 
pam_session would have been attempted to be started. These events look like 
this:

type=USER_LOGIN msg=audit(1194448956.798:186): user pid=2261 uid=0 auid=500 
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: 
exe="/usr/sbin/gdm-binary" (hostname=localhost, addr=127.0.0.1, terminal=:0 
res=success)'

> Is there an auditing rule that can do this?

No, its hardwired so you don't have anything to configure for this kind of 
event. You can suppress this with a rule if you didn't want it.

-Steve




More information about the Linux-audit mailing list