Re: Login/Logouts (UNCLASSIFIED)
On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
So does that mean this call audit would not work:
-a exit,possible -w /bin/login -F success=0 -F success!=0
This would not audit anything for 3 reasons. "possible" tells it to collect
the information in case its needed later. The -F options form an "and"
condition. Both cannot be true at the same time. And "-w" is watches
while "-a" is syscall auditing...you cannot mix the two.
You might try:
-w /bin/login -p x
But that would get you the fact that the file was executed but probably not
the results of execution. (It probably should).
What would be an entry to trap users successfully logging in?
We've patched the source code to entry points to send specific messages saying
the intent of the pam session.
-Steve