Re: aulast only displaying reboot pseudo-users
On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote:
On my machine with audit 2.3.6 the following call to aulast is only
displaying the "reboot" pseudo-users and not the actual logins:
ausearch --start this-month --raw | aulast --stdin
Passing the "--bad" option to aulast, seems to correctly return the
failed login attempt.
Also, adding the login name to the aulast command doesn't seems to work
at all even with the --bad option.
OTOH, the aulastlog command seems to work as expected.
An idea?
Would this happen to be a system with a recent GDM and systemd? If so, they
are known to be messing up the audit trail. I am trying to write a system
validation test suite to spot issues like this. If you look at gdm, its
sending duplicate events. Systemd events don't make it to audit all the time.
Its a mess on the desktop right now.
-Steve