From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Login/Logouts (UNCLASSIFIED)
Date: Wed, 28 Feb 2007 17:54:28 -0500
Message-ID: <200702281754.28780.sgrubb@redhat.com>
References: <C20B7106.968%paul.whitney@mac.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <C20B7106.968%paul.whitney@mac.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Mackanick, Jason W CTR DISA GIG-OP" <jason.mackanick.ctr@disa.mil>, Valdis.Kletnieks@vt.edu
List-Id: linux-audit@redhat.com

On Wednesday 28 February 2007 17:48, Paul Whitney wrote:
> So does that mean this call audit would not work:
>
> -a exit,possible -w /bin/login -F success=0 -F success!=0

This would not audit anything for 3 reasons. "possible" tells it to collect 
the information in case its needed later. The -F options form an "and" 
condition. Both cannot be true at the same time. And "-w" is watches 
while "-a" is syscall auditing...you cannot mix the two.

You might try:

-w /bin/login -p x

But that would get you the fact that the file was executed but probably not 
the results of execution. (It probably should).

> What would be an entry to trap users successfully logging in?

We've patched the source code to entry points to send specific messages saying 
the intent of the pam session.

-Steve