[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-audit
Subject: Re: How to capture a login event?
From: Steve Grubb <sgrubb () redhat ! com>
Date: 2007-11-07 20:53:03
Message-ID: 200711071553.04448.sgrubb () redhat ! com
[Download RAW message or body]
On Wednesday 07 November 2007 15:35:00 Zachary Shay wrote:
> I'm trying to detect when logins (successful) and login attempts
> (unsuccessful) occur using the auditing subsystem.
This is done automatically for you as long as the audit system is enabled.
Changing the loginuid generates this record:
type=LOGIN msg=audit(1194465501.865:7462): login pid=9651 uid=0 old
auid=4294967295 new auid=500
But just because a loginuid (auid) was changed does not mean that a login
occurred. For example, cron sets the auid when it runs a script on behalf of
a user. In that case, no one logged in.
To distinguish actual logins from other loginuid changes, the entry point
daemons have been modified to send a USER_LOGIN event right after the
pam_session would have been attempted to be started. These events look like
this:
type=USER_LOGIN msg=audit(1194448956.798:186): user pid=2261 uid=0 auid=500
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500:
exe="/usr/sbin/gdm-binary" (hostname=localhost, addr=127.0.0.1, terminal=:0
res=success)'
> Is there an auditing rule that can do this?
No, its hardwired so you don't have anything to configure for this kind of
event. You can suppress this with a rule if you didn't want it.
-Steve
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic