From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Mackanick, Jason W CTR DISA GIG-OP" <jason.mackanick.ctr@disa.mil>
Subject: Re: Login/Logouts (UNCLASSIFIED)
Date: Wed, 28 Feb 2007 16:13:38 -0500 [thread overview]
Message-ID: <200702281613.39089.sgrubb@redhat.com> (raw)
In-Reply-To: <5B93875C42278C43A32F0BEB91CEABBB015C9CC8@laccadive.disanet.disa-u.mil>
On Wednesday 28 February 2007 15:31, Mackanick, Jason W CTR DISA GIG-OP wrote:
> I am in position of writing technical implimentation guidance for DISA and I
> am looking for a method to audit logins/logouts.
We've patched login, gdm, and openssh to send a USER_LOGIN message to denote
this event.
time->Wed Feb 28 08:12:01 2007
type=USER_LOGIN msg=audit(1172668321.325:113): user pid=2424 uid=0 auid=525
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=525:
exe="/usr/sbin/gdm-binary" (hostname=discovery, addr=192.168.1.2, terminal=:0
res=success)'
> I have not been able to come up with a syscall that would cover this. Any
> help would be appreciated.
Its actually a whole series of events that allows a login. Thesequence is:
LOGIN, USER_AUTH, USER_START, USER_ACCT, USER_START, CRED_REFR or CRED_ACQ ,
and then USER_LOGIN. Cron and some other daemons that are pamified can create
most of these events as they run. This is why we send a specific event from
the app. Aureport looks for USER_LOGIN messages for its login accounting.
[root]# aureport --start today
Summary Report
======================
Range of time in logs: 10/29/2006 13:11:33.731 - 02/28/2007 16:05:52.479
Selected time for report: 02/28/2007 00:00:01 - 02/28/2007 16:05:52.479
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 1
Number of failed logins: 0
Number of authentications: 2
Number of failed authentications: 1
Number of users: 1
Number of terminals: 4
Number of host names: 2
Number of executables: 2
Number of files: 1
Number of AVC denials: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of process IDs: 4
Number of events: 13
If you want more detail, run the login report:
[root]# aureport --start today --login -i
Login Report
============================================
# date time auid host term exe success event
============================================
1. 02/28/2007 16:05:38 steve nat.redhat.com /dev/pts/0 /usr/sbin/sshd yes 81
Hope this helps.
-Steve
next prev parent reply other threads:[~2007-02-28 21:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-28 20:31 Login/Logouts (UNCLASSIFIED) Mackanick, Jason W CTR DISA GIG-OP
2007-02-28 21:13 ` Steve Grubb [this message]
2007-02-28 21:18 ` Valdis.Kletnieks
2007-02-28 22:48 ` Paul Whitney
2007-02-28 22:54 ` Steve Grubb
2007-03-01 13:41 ` Mackanick, Jason W CTR DISA GIG-OP
2007-03-01 14:05 ` Steve Grubb
2007-03-01 14:21 ` Mackanick, Jason W CTR DISA GIG-OP
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200702281613.39089.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=jason.mackanick.ctr@disa.mil \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox