Re: Login/Logouts (UNCLASSIFIED)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
So does that mean this call audit would not work:
- -a exit,possible -w /bin/login -F success=0 -F success!=0
What would be an entry to trap users successfully logging in?
Paul Whitney
Paul.whitney(a)mac.com
On 2/28/07 4:18 PM, "Valdis.Kletnieks(a)vt.edu" <Valdis.Kletnieks(a)vt.edu>
wrote:
* PGP Signed by an unverified key: 02/28/07 at 16:18:26
On Wed, 28 Feb 2007 15:31:41 EST, "Mackanick, Jason W CTR DISA GIG-OP"
said:
> Newbie to the list. I am in position of writing technical
> implimentation guidance for DISA and I am looking for a method to audit
> logins/logouts. I have not been able to come up with a syscall that
> would cover this. Any help would be appreciated.
That's because "login" isn't a single syscall, and a lot of things
happen
during a login - many files get read, programs get run, and so on.
That's why things like gdm, getty, and ssh are modified to cut a
non-syscall
audit record when a user logs in.
* Valdis Kletnieks <valdis.kletnieks(a)vt.edu>
* 0xB4D3D7B0 - Unverified (L)
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBReYGxbdVg+viRqgEAQhLOQgAg5/QLzVIl1raeQdZ7l9nv++wma+fVre9
eo4WifDvQIA07rttrpXkJhYGbDYHKOoWZQzgMfYW77pNJjBgmyopFUmqGMlLoNym
0rF9tT6rdexpgEheqm0yNjL6S2B2iGU3rg+fY3KiLOEy42b0bpfWbExTE21PEB7l
1MS/pZSnbmNSEe0Jg4vH+8iNdMKBdIfr8qWCr4pSFoWr9eOcI0vaCHUWEdmbtynu
wpWlFwCEJ46Mm/YdPC8FRCHzOuLGHjp6GyoFVcc6tHWZ982KSR0l9a9+Q5EBE8vD
nZcfpKB0Xmcp3mtoN/V4ZryCHpuGYgwUzVimcHcqRI9stqecfkjMMw==
=js9E
-----END PGP SIGNATURE-----