From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: audisp-prelude login question Date: Thu, 30 Oct 2008 06:34:15 -0400 Message-ID: <200810300634.15594.sgrubb@redhat.com> References: <1225333698.9388.287.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1225333698.9388.287.camel@homeserver> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 29 October 2008 22:28:18 LC Bruzenak wrote: > If so, what is LOGIN? This is the record emitted by the kernel to say that the user's loginuid has changed. This would mean that pam_loginuid was run. But the event is being sent by the kernel, not pam. > I guess I can go look at the code and find out...but I guess that one isn't > being grabbed inside the audisp-prelude handle_event() routine. Because that is not an event of interest in prelide right now. > If this is the case either the sending code could be made to match (I > guess pam isn't doing it the same way in each) or else the > audisp-prelude could be changed to send this one too? Nope...somewhere the pam originating events are being eaten. You might strace an xdm login and look for some sendto's followed immediately by recvfrom's to the audit socket. If they are missing entirely, then xdm is not calling pam. If they are there, we'd want to look at the return code to see if its having an error. Is xdm running as root at the point pam is called? Are there selinux rules? Are there dontaudit rules eating this? -Steve