[redhat-lspp] USER_LOGIN record no longer has acct field
Steve Grubb
sgrubb at redhat.com
Wed Sep 20 18:46:19 UTC 2006
On Wednesday 20 September 2006 13:20, Linda Knippers wrote:
> I just upgraded from audit 1.2.5 to 1.2.7 and now I see slightly
> different information in the hostname/addr/terminal fields:
Well, the hostname/addr code changed. It was throwing away addr and using
hostname. It was supposed to record what was given to it.
> The hostname is correct for the success case and the address is
> correct for the failure case. I suppose terminal isn't known on
> the failure case because the login didn't occur?
Right. Terminal is grabbed in session startup phase.
> In that case, should it be '?'?
The LOGIN event, I think, is using the pam data, so this is what was passed to
pam. Traditionally, in the absence of a terminal, the daemon name was used.
This predates the audit work.
> I see addr=2.0.0.0 on other messages too so my question about that
> isn't specific to this message type.
If you find a problem in the code, please send a patch.
Thanks,
-Steve
More information about the redhat-lspp
mailing list