From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Login/Logouts (UNCLASSIFIED) Date: Wed, 28 Feb 2007 16:13:38 -0500 Message-ID: <200702281613.39089.sgrubb@redhat.com> References: <5B93875C42278C43A32F0BEB91CEABBB015C9CC8@laccadive.disanet.disa-u.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <5B93875C42278C43A32F0BEB91CEABBB015C9CC8@laccadive.disanet.disa-u.mil> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Mackanick, Jason W CTR DISA GIG-OP" List-Id: linux-audit@redhat.com On Wednesday 28 February 2007 15:31, Mackanick, Jason W CTR DISA GIG-OP w= rote: > I am in position of writing technical implimentation guidance for DISA = and I > am looking for a method to audit logins/logouts. We've patched login, gdm, and openssh to send a USER_LOGIN message to den= ote=20 this event. time->Wed Feb 28 08:12:01 2007 type=3DUSER_LOGIN msg=3Daudit(1172668321.325:113): user pid=3D2424 uid=3D= 0 auid=3D525=20 subj=3Dsystem_u:system_r:xdm_t:s0-s0:c0.c1023 msg=3D'uid=3D525:=20 exe=3D"/usr/sbin/gdm-binary" (hostname=3Ddiscovery, addr=3D192.168.1.2, t= erminal=3D:0=20 res=3Dsuccess)' > I have not been able to come up with a syscall that would cover this. =C2= =A0Any > help would be appreciated. Its actually a whole series of events that allows a login. Thesequence is= :=20 LOGIN, USER_AUTH, USER_START, USER_ACCT, USER_START, CRED_REFR or CRED_AC= Q ,=20 and then USER_LOGIN. Cron and some other daemons that are pamified can cr= eate=20 most of these events as they run. This is why we send a specific event fr= om=20 the app. Aureport looks for USER_LOGIN messages for its login accounting. [root]# aureport --start today Summary Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Range of time in logs: 10/29/2006 13:11:33.731 - 02/28/2007 16:05:52.479 Selected time for report: 02/28/2007 00:00:01 - 02/28/2007 16:05:52.479 Number of changes in configuration: 0 Number of changes to accounts, groups, or roles: 0 Number of logins: 1 Number of failed logins: 0 Number of authentications: 2 Number of failed authentications: 1 Number of users: 1 Number of terminals: 4 Number of host names: 2 Number of executables: 2 Number of files: 1 Number of AVC denials: 0 Number of MAC events: 0 Number of failed syscalls: 0 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 4 Number of events: 13 If you want more detail, run the login report: [root]# aureport --start today --login -i Login Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # date time auid host term exe success event =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1. 02/28/2007 16:05:38 steve nat.redhat.com /dev/pts/0 /usr/sbin/sshd yes= 81 Hope this helps. -Steve