Re: Audit Prelude Logout Tracking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: Dan Gruhn <Dan.Gruhn@groupw.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit Prelude Logout Tracking
Date: Thu, 19 Feb 2009 08:45:55 -0600	[thread overview]
Message-ID: <1235054755.11692.127.camel@homeserver> (raw)
In-Reply-To: <499D6C14.5060205@groupw.com>

On Thu, 2009-02-19 at 09:26 -0500, Dan Gruhn wrote:
> 
> LC Bruzenak wrote:
> > On Wed, 2009-02-18 at 16:44 -0600, LC Bruzenak wrote:
> >   
> LCB,
> 
> Thanks for the tip on the hostname/addr info is only for remote access 
> information.
> 
>  Although this seemed like the right place to look, I don't see 
> USER_LOGOUT events in my audit logs, this is why I mentioned the 
> USER_END events.  Do you remember USER_LOGOUT working back when you 
> tried before?

I thought that is what I saw previously, but it isn't there now. 
Only login/logout on the console gives these messages. 
I need to go back through some old email - I thought Steve patched this
a while back.

> 
> I am interested in the patches that you make to audisp-prelude.c.  Do 
> you think they might be useful to me in my NISPOM quest?  If so, are 
> they patches from 1.7.11 and could you send me a copy?

I'll gladly send you a copy off-list - the changes are specific to what
I'm doing. Basically I had to sub-format the user text in order to key
off what I wanted to send to prelude. 

You may need to incorporate something similar...unless of course between
us we can provide a non-intrusive patch Steve would accept which would
accommodate user-designated IDS events! :)

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

     prev parent reply	other threads:[~2009-02-19 14:46 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-18 21:58 Audit Prelude Logout Tracking Dan Gruhn
2009-02-18 22:44 ` LC Bruzenak
2009-02-18 23:25   ` LC Bruzenak
2009-02-19 14:26     ` Dan Gruhn
2009-02-19 14:36       ` Steve Grubb
2009-02-19 15:24         ` LC Bruzenak
2009-02-19 18:39           ` Steve Grubb
2009-02-19 19:49             ` LC Bruzenak
2009-02-19 14:45       ` LC Bruzenak [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1235054755.11692.127.camel@homeserver \
    --to=lenny@magitekltd.com \
    --cc=Dan.Gruhn@groupw.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.