On Fri, Apr 08, 2005 at 10:11:34PM +0100, David Woodhouse wrote:
On Fri, 2005-04-08 at 12:10 -0500, Klaus Weidner wrote:
> The pam_close_session record isn't required by CAPP, we had a discussion
> about session end records some time ago. It's generally less reliable
> than the start record anyway since the session close record doesn't mean
> that all processes launched by that user have terminated; some may have
> been backgrounded.
One answer to this might be to assign a unique 'session id' cookie at
login time, then store and log it with the loginuid at all times.
That's what the LAuS implementation did - it's not strictly CAPP required
but it's helpful for tracing back an arbitrary audit event record to the
corresponding login record that started the session.
It's in theory possible to do that without a session ID by tracing the
ancestry through records of fork() syscalls, but that's a lot more work
and needs an uninterrupted audit trail of all intervening fork()s.
-Klaus