Re: Audit Prelude Logout Tracking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Gruhn <Dan.Gruhn@groupw.com>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit Prelude Logout Tracking
Date: Thu, 19 Feb 2009 09:26:28 -0500	[thread overview]
Message-ID: <499D6C14.5060205@groupw.com> (raw)
In-Reply-To: <1234999521.11692.118.camel@homeserver>



LC Bruzenak wrote:
> On Wed, 2009-02-18 at 16:44 -0600, LC Bruzenak wrote:
>   
>> On Wed, 2009-02-18 at 16:58 -0500, Dan Gruhn wrote:
>>     
>>> I''m working on an X86_64  RHEL 5.2 system and for NISPOM Chapt. 8 I'm 
>>> looking to modify the audisp-prelude plugin so that I can get logout 
>>> events displayed.
>>>
>>> I see the information in the audit.log as USER_END and have done a small 
>>> mod in the handle_event routine in audisp-prelude.c so that it looks for 
>>> AUDIT_USER_END but I've run across the following things:
>>>
>>> 1) sshd goes through a login/logout cycle ending in USER_END and all is 
>>> good.
>>> node=node01 type=USER_END msg=audit(1234979707.894:203): user pid=7422 
>>> uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 
>>> msg='PAM: session close acct="root" : exe="/usr/sbin/sshd" 
>>> (hostname=master, addr=10.1.4.100, terminal=ssh res=success)'
>>>
>>>
>>>       
>
> Dan,
>
> The other question I had was, I suppose you see the AUDIT_USER_LOGIN
> event type which triggers the prelude event (in audisp-prelude.c). I
> would think that the matching AUDIT_USER_LOGOUT would be what you want
> right?
>
> Can you find these events with ausearch like this?:
>
> # ausearch -ts today -i -m USER_LOGIN
> ...and...
> #ausearch -ts today -i -m USER_LOGOUT
>
>
> LCB
>
>   
LCB,

Thanks for the tip on the hostname/addr info is only for remote access 
information.

 Although this seemed like the right place to look, I don't see 
USER_LOGOUT events in my audit logs, this is why I mentioned the 
USER_END events.  Do you remember USER_LOGOUT working back when you 
tried before?

I am interested in the patches that you make to audisp-prelude.c.  Do 
you think they might be useful to me in my NISPOM quest?  If so, are 
they patches from 1.7.11 and could you send me a copy?

Thanks,

Dan

next prev parent reply	other threads:[~2009-02-19 14:26 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-18 21:58 Audit Prelude Logout Tracking Dan Gruhn
2009-02-18 22:44 ` LC Bruzenak
2009-02-18 23:25   ` LC Bruzenak
2009-02-19 14:26     ` Dan Gruhn [this message]
2009-02-19 14:36       ` Steve Grubb
2009-02-19 15:24         ` LC Bruzenak
2009-02-19 18:39           ` Steve Grubb
2009-02-19 19:49             ` LC Bruzenak
2009-02-19 14:45       ` LC Bruzenak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=499D6C14.5060205@groupw.com \
    --to=dan.gruhn@groupw.com \
    --cc=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.