How to capture a login event?

How to capture a login event?

[Zachary Shay]

I am fairly new to the linux audit subsystem, and have a question that 
can probably be answered in a one line response.  I'm trying to detect 
when logins (successful) and login attempts (unsuccessful) occur using 
the auditing subsystem.  Is there an auditing rule that can do this?  My 
brief research has shown a syscall, setauid(), available in BSD and 
SysV; however, it isn't implemented in linux.  Also, a rule watching the 
file "/proc/self/loginuid" will show every time the pam_loginuid.so is 
called by a point of entry...unfortunately that isn't useful because the 
uid/euid/auid is always bound to root.  Any ideas?

Thanks in advance,
Zach

Re: How to capture a login event?

[Steve Grubb]

On Wednesday 07 November 2007 15:35:00 Zachary Shay wrote:
> I'm trying to detect when logins (successful) and login attempts
> (unsuccessful) occur using the auditing subsystem.

This is done automatically for you as long as the audit system is enabled. 
Changing the loginuid generates this record:

type=LOGIN msg=audit(1194465501.865:7462): login pid=9651 uid=0 old 
auid=4294967295 new auid=500

But just because a loginuid (auid) was changed does not mean that a login 
occurred. For example, cron sets the auid when it runs a script on behalf of 
a user. In that case, no one logged in.

To distinguish actual logins from other loginuid changes, the entry point 
daemons have been modified to send a USER_LOGIN event right after the 
pam_session would have been attempted to be started. These events look like 
this:

type=USER_LOGIN msg=audit(1194448956.798:186): user pid=2261 uid=0 auid=500 
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: 
exe="/usr/sbin/gdm-binary" (hostname=localhost, addr=127.0.0.1, terminal=:0 
res=success)'

> Is there an auditing rule that can do this?

No, its hardwired so you don't have anything to configure for this kind of 
event. You can suppress this with a rule if you didn't want it.

-Steve