Re: Auditing Logons/Logoffs
On Friday, July 14, 2017 3:51:16 PM EDT warron.french wrote:
Back to this again, as I thought my coworker had addressed it months
ago,
but he did not as I cannot find anything.
*THE_SUBJECT*: Auditing Logons and Logoffs (success/failures)
I am aware of the following files:
/var/log/faillog, and
/var/log/lastlog
The following link is relevant to RHEL5 (maybe 6 and 7??):
https://www.stigviewer.com/stig/oracle_linux_5/2015-12-07/finding/V-818
Is there an appropriate syscall for handling *THE_SUBJECT*?
Nope. This is hardwired into the applications. There is a specification here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-L...
That explains each event that is part of the login and logout and its meaning.
Do I use the syntax as advised in the link provided at
stigviewer.com?
Nope. Its hardwired. As long as audit is enabled, you'll get them.
-Steve
We are dealing with systems that do tie into IPA, but have to ensure
*THE_SUBJECT* is being addressed and forwarded.
I have to support both RHEL6 and RHEL7.
Thanks in advance,
--------------------------
Warron French