I have been creating an auditing procedure. I am working with 2
different OS's opensuse 11.x (everything is working fine.) and debian
5.0.4 (I am having problems with this.)
My setup for auditd is the same in both places. However on the debian
system I get no audit events for user authentication for things like
ssh and su. I do properly receive file/directory and syscall events. I
am at a complete loss it almost seems like auditd doesnt even see the
login at all. I looked at the kernel config but all audit related
things seem to be enabled.