From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditing Logons/Logoffs Date: Fri, 14 Jul 2017 16:46:16 -0400 Message-ID: <3128112.AezCZUyPye@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, July 14, 2017 3:51:16 PM EDT warron.french wrote: > Back to this again, as I thought my coworker had addressed it months ago, > but he did not as I cannot find anything. > > *THE_SUBJECT*: Auditing Logons and Logoffs (success/failures) > > I am aware of the following files: > /var/log/faillog, and > /var/log/lastlog > > The following link is relevant to RHEL5 (maybe 6 and 7??): > https://www.stigviewer.com/stig/oracle_linux_5/2015-12-07/finding/V-818 > > Is there an appropriate syscall for handling *THE_SUBJECT*? Nope. This is hardwired into the applications. There is a specification here: https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Login-Lifecycle-Events That explains each event that is part of the login and logout and its meaning. > Do I use the syntax as advised in the link provided at stigviewer.com? Nope. Its hardwired. As long as audit is enabled, you'll get them. -Steve > We are dealing with systems that do tie into IPA, but have to ensure > *THE_SUBJECT* is being addressed and forwarded. > > I have to support both RHEL6 and RHEL7. > > > Thanks in advance, > -------------------------- > Warron French