aulast only displaying reboot pseudo-users

Steve Grubb sgrubb at redhat.com
Wed Jun 4 23:04:52 UTC 2014 

On Thursday, June 05, 2014 12:42:39 AM Laurent Bigonville wrote:
> Le Wed, 04 Jun 2014 18:23:29 -0400,
> 
> Steve Grubb <sgrubb at redhat.com> a écrit :
> > On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote:
> > > On my machine with audit 2.3.6 the following call to aulast is only
> > > displaying the "reboot" pseudo-users and not the actual logins:
> > > 
> > > ausearch --start this-month --raw | aulast --stdin
> > > 
> > > Passing the "--bad" option to aulast, seems to correctly return the
> > > failed login attempt.
> > > 
> > > Also, adding the login name to the aulast command doesn't seems to
> > > work at all even with the --bad option.
> > > 
> > > OTOH, the aulastlog command seems to work as expected.
> > > 
> > > An idea?
> >  
> >  Would this happen to be a system with a recent GDM and systemd? If
> > 
> > so, they are known to be messing up the audit trail. I am trying to
> > write a system validation test suite to spot issues like this. If you
> > look at gdm, its sending duplicate events. Systemd events don't make
> > it to audit all the time. Its a mess on the desktop right now.
> 
> Yes indeed I'm running gdm 3.12 and systemd 208.
> 
> But I'm not seeing anything in aulast output when I'm login in on a tty.
> 
> ausearch is however giving me this:
> 
> bigon at fornost:~$ sudo ausearch -m ALL -ts 00:35|grep test
> type=USER_AUTH msg=audit(1401921359.577:1394): pid=15760 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:authentication acct="test" exe="/bin/login" hostname=? addr=?
> terminal=/dev/tty1 res=success' 
> type=USER_ACCT msg=audit(1401921359.577:1395): pid=15760 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-
> s0:c0.c1023 msg='op=PAM:accounting acct="test" exe="/bin/login" hostname=?
> addr=?> terminal=/dev/tty1 res=success'

You are missing a type=LOGIN event right here. If you do a "cat 
/proc/self/loginuid" and its set to something besides -1, we have a kernel 
bug.

-Steve


> type=USER_START msg=audit(1401921359.617:1403): pid=15760 uid=0 auid=1002
> ses=66 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct="test" exe="/bin/login" hostname=? addr=?
> terminal=/dev/tty1 res=success' type=CRED_ACQ
> msg=audit(1401921359.617:1404): pid=15760 uid=0 auid=1002 ses=66
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="test" exe="/bin/login" hostname=? addr=? terminal=/dev/tty1
> res=success' type=USER_LOGIN msg=audit(1401921359.617:1405): pid=15760
> uid=0 auid=1002 ses=66 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=login acct="test" exe="/bin/login" hostname=? addr=?
> terminal=/dev/tty1 res=success' type=USER_END
> msg=audit(1401921360.221:1408): pid=15760 uid=0 auid=1002 ses=66
> subj=system_u:system_r:local_login_t:s0-s0:c0.c1023
> msg='op=PAM:session_close acct="test" exe="/bin/login" hostname=? addr=?
> terminal=/dev/tty1 res=success'

More information about the Linux-audit mailing list