Re: How to capture a login event?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: How to capture a login event?
Date: Wed, 7 Nov 2007 15:53:03 -0500	[thread overview]
Message-ID: <200711071553.04448.sgrubb@redhat.com> (raw)
In-Reply-To: <47322174.4080902@gmail.com>

On Wednesday 07 November 2007 15:35:00 Zachary Shay wrote:
> I'm trying to detect when logins (successful) and login attempts
> (unsuccessful) occur using the auditing subsystem.

This is done automatically for you as long as the audit system is enabled. 
Changing the loginuid generates this record:

type=LOGIN msg=audit(1194465501.865:7462): login pid=9651 uid=0 old 
auid=4294967295 new auid=500

But just because a loginuid (auid) was changed does not mean that a login 
occurred. For example, cron sets the auid when it runs a script on behalf of 
a user. In that case, no one logged in.

To distinguish actual logins from other loginuid changes, the entry point 
daemons have been modified to send a USER_LOGIN event right after the 
pam_session would have been attempted to be started. These events look like 
this:

type=USER_LOGIN msg=audit(1194448956.798:186): user pid=2261 uid=0 auid=500 
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: 
exe="/usr/sbin/gdm-binary" (hostname=localhost, addr=127.0.0.1, terminal=:0 
res=success)'

> Is there an auditing rule that can do this?

No, its hardwired so you don't have anything to configure for this kind of 
event. You can suppress this with a rule if you didn't want it.

-Steve

     prev parent reply	other threads:[~2007-11-07 20:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-11-07 20:35 How to capture a login event? Zachary Shay
2007-11-07 20:53 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200711071553.04448.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.