From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Mackanick, Jason W CTR DISA GIG-OP" <jason.mackanick.ctr@disa.mil>
Subject: Re: Login/Logouts (UNCLASSIFIED)
Date: Wed, 28 Feb 2007 16:13:38 -0500 [thread overview]
Message-ID: <200702281613.39089.sgrubb@redhat.com> (raw)
In-Reply-To: <5B93875C42278C43A32F0BEB91CEABBB015C9CC8@laccadive.disanet.disa-u.mil>
On Wednesday 28 February 2007 15:31, Mackanick, Jason W CTR DISA GIG-OP wrote:
> I am in position of writing technical implimentation guidance for DISA and I
> am looking for a method to audit logins/logouts.
We've patched login, gdm, and openssh to send a USER_LOGIN message to denote
this event.
time->Wed Feb 28 08:12:01 2007
type=USER_LOGIN msg=audit(1172668321.325:113): user pid=2424 uid=0 auid=525
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=525:
exe="/usr/sbin/gdm-binary" (hostname=discovery, addr=192.168.1.2, terminal=:0
res=success)'
> I have not been able to come up with a syscall that would cover this. Any
> help would be appreciated.
Its actually a whole series of events that allows a login. Thesequence is:
LOGIN, USER_AUTH, USER_START, USER_ACCT, USER_START, CRED_REFR or CRED_ACQ ,
and then USER_LOGIN. Cron and some other daemons that are pamified can create
most of these events as they run. This is why we send a specific event from
the app. Aureport looks for USER_LOGIN messages for its login accounting.
[root]# aureport --start today
Summary Report
======================
Range of time in logs: 10/29/2006 13:11:33.731 - 02/28/2007 16:05:52.479
Selected time for report: 02/28/2007 00:00:01 - 02/28/2007 16:05:52.479
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 1
Number of failed logins: 0
Number of authentications: 2
Number of failed authentications: 1
Number of users: 1
Number of terminals: 4
Number of host names: 2
Number of executables: 2
Number of files: 1
Number of AVC denials: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 4
Number of events: 13
If you want more detail, run the login report:
[root]# aureport --start today --login -i
Login Report
============================================
# date time auid host term exe success event
============================================
1. 02/28/2007 16:05:38 steve nat.redhat.com /dev/pts/0 /usr/sbin/sshd yes 81
Hope this helps.
-Steve
next prev parent reply other threads:[~2007-02-28 21:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-28 20:31 Login/Logouts (UNCLASSIFIED) Mackanick, Jason W CTR DISA GIG-OP
2007-02-28 21:13 ` Steve Grubb [this message]
2007-02-28 21:18 ` Valdis.Kletnieks
2007-02-28 22:48 ` Paul Whitney
2007-02-28 22:54 ` Steve Grubb
2007-03-01 13:41 ` Mackanick, Jason W CTR DISA GIG-OP
2007-03-01 14:05 ` Steve Grubb
2007-03-01 14:21 ` Mackanick, Jason W CTR DISA GIG-OP
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200702281613.39089.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=jason.mackanick.ctr@disa.mil \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.