From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: How to capture a login event? Date: Wed, 7 Nov 2007 15:53:03 -0500 Message-ID: <200711071553.04448.sgrubb@redhat.com> References: <47322174.4080902@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <47322174.4080902@gmail.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 07 November 2007 15:35:00 Zachary Shay wrote: > I'm trying to detect when logins (successful) and login attempts > (unsuccessful) occur using the auditing subsystem. This is done automatically for you as long as the audit system is enabled. Changing the loginuid generates this record: type=LOGIN msg=audit(1194465501.865:7462): login pid=9651 uid=0 old auid=4294967295 new auid=500 But just because a loginuid (auid) was changed does not mean that a login occurred. For example, cron sets the auid when it runs a script on behalf of a user. In that case, no one logged in. To distinguish actual logins from other loginuid changes, the entry point daemons have been modified to send a USER_LOGIN event right after the pam_session would have been attempted to be started. These events look like this: type=USER_LOGIN msg=audit(1194448956.798:186): user pid=2261 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=localhost, addr=127.0.0.1, terminal=:0 res=success)' > Is there an auditing rule that can do this? No, its hardwired so you don't have anything to configure for this kind of event. You can suppress this with a rule if you didn't want it. -Steve