Re: support using pam_audit.so in "account" stack
On Tue, 2005-02-22 at 11:00 -0600, Klaus Weidner wrote:
On Tue, Feb 22, 2005 at 04:25:35PM +1100, Leigh Purdie wrote:
> I'd also recommend including logout information - regardless of the fact
> that non-interactive access may still continue (eg:
> nohup /path/to/blah), it is pretty important for some organisations to
> be able to determine a users interactive login and logout times.
Don't misunderstand me - I'm not opposed to logout information and agree
that it can be helpful, but it's not required for CAPP compliance and is
misleading information if the users get moderately creative.
For some applications such as vsftpd the application code would need to
be changed to get a logout record - it pretty much requires that there is
a privileged process that monitors the session, and not all services are
structured that way
True enough. I stuck login/logout auditing in the 'too hard' basket in
Snare for a fair while, for this (and other) reasons myself. However, If
I printed out the number of requests I'd received for login/logout data
in Snare, I'd be swimming in a paper storm at the moment. ;)
My suggestion is 'build it, and they will come'. Up until recently, SSH
on solaris didn't generate a login/logout message either, but the code
has been modified due to many customer requests. Cover the core feature
set that most people are interested in (interactive login/logout), and
other applications such as vsftp/ssh etc, can be integrated on a
priority basis later on down the track.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/