Re: Which userspace packages modified for audit
On Sun, Feb 25, 2007 at 02:40:57PM -0500, Steve Grubb wrote:
On Sunday 25 February 2007 13:41:56 Marcus Meissner wrote:
> Most of them have just support for emitting USER_LOGIN audit records.
>
> Are these necessary, because PAM emits USER_START / USER_END records
> anyway...
Yes. NISPOM is concerned about tracking login/logout. How do you distinguish
an actual login/logout vs the start of a session with the pam records? su and
cron, for example, do not do an actual login yet they create those records.
We could really handle this together with the loginuid tracking, right?
The pam_loginuid module could also generate the USER_LOGIN messages for instance?
Ciao, Marcus