[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 2.0.4 auid problem




I would like to audit specifically interactive actions taken from the console ttys (ttyS0,ttyS1,tty-1-6) and I've just discovered the /bin/login we use here was compiled without PAM libs. So I guess I will not be able to get auid nor TTY auditing...

By the way is there any way/future way to filter on TTY (at least just for syscalls where the tty= appears in) using auditctl -F option ? It seems -F includes a lot of objects but not tty ?

Regards

JF


-----Message d'origine-----
De : Steve Grubb [mailto:sgrubb redhat com]
Envoyé : jeudi 3 juin 2010 16:30
À : linux-audit redhat com
Cc : Jean-Francois Vincent
Objet : Re: audit 2.0.4 auid problem

On Thursday, June 03, 2010 09:55:35 am Jean-Francois Vincent wrote:
> 1 ) Is there any bug with auid always set to  4294967295 ?

You need pam_loginuid added to crond, gdm, login, kdm, sshd, vsftpd, or any
pamified entry point daemon. (but not sudo or su.)


>  2) I've also searched for logging commands specifics to a TTY but it
seems
> auditd cannot filter on one specific TTY. I've looking for auditctl -F
> options but I don't see any TTY filtering option. Is it possible ?

Look for pam_tty_audit man page.

-Steve




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]