All of lore.kernel.org
 help / color / mirror / Atom feed
From: LC Bruzenak <lenny@magitekltd.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: audisp-prelude login question
Date: Wed, 29 Oct 2008 21:28:18 -0500	[thread overview]
Message-ID: <1225333698.9388.287.camel@homeserver> (raw)

Steve,

This is a follow-up to the question I sent you earlier.
Thanks for the suggestions.

It does appear that the xdm login is auditing just fine, however the
audisp-prelude plugin appears to not send the events to the prelude
server.

I think this is the difference:
When sent by gdm it is this:
node=hugo type=USER_LOGIN msg=audit(10/29/2008 21:03:49.410:256209) : user pid=16890 uid=root auid=lenny subj=system_u:system_r:xdm_t:s0-s15:c0.c1023 msg='uid=lenny exe=/usr/libexec/gdm-session-worker (hostname=, addr=?, terminal=/dev/tty7 res=success)' 

When sent by xdm it is this:
node=v1 type=LOGIN msg=audit(10/29/2008 21:19:35.287:30749) : login pid=29371 uid=root old auid=unset new auid=lenny old ses=4294967295 new ses=1646 

Note that the types are different.

So, is USER_LOGIN (above) = AUDIT_USER_LOGIN        1112 (from libaudit.h) ?

If so, what is LOGIN? I guess I can go look at the code and find
out...but I guess that one isn't being grabbed inside the audisp-prelude
handle_event() routine.

If this is the case either the sending code could be made to match (I
guess pam isn't doing it the same way in each) or else the
audisp-prelude could be changed to send this one too?

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

             reply	other threads:[~2008-10-30  2:29 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-30  2:28 LC Bruzenak [this message]
2008-10-30  3:27 ` audisp-prelude login question LC Bruzenak
2008-10-30 10:34 ` Steve Grubb
2008-10-30 12:46   ` LC Bruzenak
2008-10-30 14:29     ` LC Bruzenak
2008-10-30 18:07       ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1225333698.9388.287.camel@homeserver \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.