On Monday, July 19, 2010 09:33:11 am List Quest wrote: > - Trying FTP Connect: > > Following lines writing to audit.log > type=USER_AUTH ... > type=USER_ACCT ... > (NO USER_LOGIN LINE?) > > Wyh this? No one patched the ftp deamon to send it. The USER_LOGIN event is sent by the daemon after authentication/authorization completes. This is to distinguish actual sessions from the pam events you noted which may not actually be associated with a login (e.g. - crond). Sshd, gdm, kdm, xdm, and login have all been patched to do this. I'm not entirely sure we considered ftp to be a shell giving free access to the system and that would be the most likely reason its not been patched. -Steve