From mboxrd@z Thu Jan  1 00:00:00 1970
From: Zachary Shay <zachary.shay@gmail.com>
Subject: How to capture a login event?
Date: Wed, 07 Nov 2007 15:35:00 -0500
Message-ID: <47322174.4080902@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lA7KZAov016842
	for <linux-audit@redhat.com>; Wed, 7 Nov 2007 15:35:10 -0500
Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.179])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lA7KYvro006902
	for <linux-audit@redhat.com>; Wed, 7 Nov 2007 15:34:57 -0500
Received: by ik-out-1112.google.com with SMTP id c21so1008100ika
	for <linux-audit@redhat.com>; Wed, 07 Nov 2007 12:34:56 -0800 (PST)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I am fairly new to the linux audit subsystem, and have a question that 
can probably be answered in a one line response.  I'm trying to detect 
when logins (successful) and login attempts (unsuccessful) occur using 
the auditing subsystem.  Is there an auditing rule that can do this?  My 
brief research has shown a syscall, setauid(), available in BSD and 
SysV; however, it isn't implemented in linux.  Also, a rule watching the 
file "/proc/self/loginuid" will show every time the pam_loginuid.so is 
called by a point of entry...unfortunately that isn't useful because the 
uid/euid/auid is always bound to root.  Any ideas?

Thanks in advance,
Zach