[redhat-lspp] USER_LOGIN record no longer has acct field
Steve Grubb
sgrubb at redhat.com
Wed Sep 20 18:37:20 UTC 2006
On Wednesday 20 September 2006 12:58, Linda Knippers wrote:
> > In the case where we log a message pre-authentication, you get acct since
> > it did not correlate to a uid.
>
> I think it would be nice if the success message and the failure
> message had the same information, so acct in both cases if that's
> all we can get for the failure case.
The audit system throughout has favored uids to names for compactness. Also
users can change their name but rarely their uid. In all the trusted apps,
the uid is more trustworthy since it has already been verified.
> type=USER_LOGIN msg=audit(1158674606.789:1503): user pid=10052 uid=0
> auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='uid=0:
> exe="/usr/sbin/sshd" (hostname=16.116.117.213, addr=2.0.0.0,
> terminal=/dev/pts/3 res=success)'
>
> type=USER_LOGIN msg=audit(1158668540.641:1460): user pid=9595 uid=0
> auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255
> msg='acct=root: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=sshd
> res=failed)'
>
> Do you know why we often get an addr of 2.0.0.0?
I'd have to trace through the code and know about your network.
> Also, why does terminal=sshd in the failure case?
I think the terminal isn't claimed until session open.
> And are we not able to get the hostname and other info in that case?
I'd have to look at the code. Patches are welcome... :)
-Steve
More information about the redhat-lspp
mailing list