From: Paul Whitney <paul.whitney@mac.com>
To: Valdis.Kletnieks@vt.edu, "Mackanick,
Jason W CTR DISA GIG-OP" <jason.mackanick.ctr@disa.mil>
Cc: linux-audit@redhat.com
Subject: Re: Login/Logouts (UNCLASSIFIED)
Date: Wed, 28 Feb 2007 17:48:54 -0500 [thread overview]
Message-ID: <C20B7106.968%paul.whitney@mac.com> (raw)
In-Reply-To: <200702282118.l1SLIQo3017127@turing-police.cc.vt.edu>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
So does that mean this call audit would not work:
- -a exit,possible -w /bin/login -F success=0 -F success!=0
What would be an entry to trap users successfully logging in?
Paul Whitney
Paul.whitney@mac.com
On 2/28/07 4:18 PM, "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>
wrote:
> * PGP Signed by an unverified key: 02/28/07 at 16:18:26
> On Wed, 28 Feb 2007 15:31:41 EST, "Mackanick, Jason W CTR DISA GIG-OP"
> said:
>
>> Newbie to the list. I am in position of writing technical
>> implimentation guidance for DISA and I am looking for a method to audit
>> logins/logouts. I have not been able to come up with a syscall that
>> would cover this. Any help would be appreciated.
>
> That's because "login" isn't a single syscall, and a lot of things happen
> during a login - many files get read, programs get run, and so on.
> That's why things like gdm, getty, and ssh are modified to cut a
> non-syscall
> audit record when a user logs in.
> * Valdis Kletnieks <valdis.kletnieks@vt.edu>
> * 0xB4D3D7B0 - Unverified (L)
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQEVAwUBReYGxbdVg+viRqgEAQhLOQgAg5/QLzVIl1raeQdZ7l9nv++wma+fVre9
eo4WifDvQIA07rttrpXkJhYGbDYHKOoWZQzgMfYW77pNJjBgmyopFUmqGMlLoNym
0rF9tT6rdexpgEheqm0yNjL6S2B2iGU3rg+fY3KiLOEy42b0bpfWbExTE21PEB7l
1MS/pZSnbmNSEe0Jg4vH+8iNdMKBdIfr8qWCr4pSFoWr9eOcI0vaCHUWEdmbtynu
wpWlFwCEJ46Mm/YdPC8FRCHzOuLGHjp6GyoFVcc6tHWZ982KSR0l9a9+Q5EBE8vD
nZcfpKB0Xmcp3mtoN/V4ZryCHpuGYgwUzVimcHcqRI9stqecfkjMMw==
=js9E
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2007-02-28 22:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-28 20:31 Login/Logouts (UNCLASSIFIED) Mackanick, Jason W CTR DISA GIG-OP
2007-02-28 21:13 ` Steve Grubb
2007-02-28 21:18 ` Valdis.Kletnieks
2007-02-28 22:48 ` Paul Whitney [this message]
2007-02-28 22:54 ` Steve Grubb
2007-03-01 13:41 ` Mackanick, Jason W CTR DISA GIG-OP
2007-03-01 14:05 ` Steve Grubb
2007-03-01 14:21 ` Mackanick, Jason W CTR DISA GIG-OP
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C20B7106.968%paul.whitney@mac.com \
--to=paul.whitney@mac.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=jason.mackanick.ctr@disa.mil \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.