Re: Login/Logout events
Yup, you are absolutely right.
FC5 currently has an update to 4.3p2-12 (not 13 yet), and it doesn't work
FC6 currently runs 4.3p2-19, and it does indeed produce the logout event.
Thanks for the quick feedback!
Steve Grubb wrote:
On Thursday 03 May 2007 10:00, Robert Evans wrote:
> In doing some testing with the last audit module (testing on FC5) I found
> the following behavior
>
> 1. login and logout events recorded from GDM login
> 2. login and logout events recorded from su
> 3. login events recorded from ssh connections, no logout events (USER_END)
> logged.
Login is marked by the USER_LOGIN event. There should be a USER_START event
that identifies the beginning of the session. A USER_END event denotes the
end of the session. So, for "su"...you should see a session begin, not a
login.
> Is there something I need to do to catch these ssh disconnects?
Update openssh. This was a bug in that the logging of this event was done from
a place where not enough privileges existed. I think 4.3p2-13 has the fix
for it.
-Steve