Does anyone know if the auditd on RHEL4 is capable of capturing
logon/logoff and failed authentication events? This seems to work
flawlessly without any additional changes on a RHEL5 system.
Would this just be a configuration change in the PAM stack to allow
auditd to get these events, rather than using syslog?
Any ideas would be helpful.
Thanks,
Kevin