From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audisp-prelude login question
Date: Thu, 30 Oct 2008 14:07:07 -0400
Message-ID: <200810301407.08084.sgrubb@redhat.com>
References: <1225333698.9388.287.camel@homeserver>
	<1225370817.9388.306.camel@homeserver>
	<1225376952.9388.341.camel@homeserver>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1225376952.9388.341.camel@homeserver>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 30 October 2008 10:29:12 LC Bruzenak wrote:
> So I went back to the gdm session which audits. I thought if I could see
> the strace from that I'd know what to look for on the failing one. Here
> is the USER_LOGIN event:
> node=hugo type=USER_LOGIN msg=audit(10/30/2008 08:55:53.356:278784) : user
> pid=7417 uid=root auid=lenny subj=system_u:system_r:xdm_t:s0-s15:c0.c1023
> msg='uid=lenny exe=/usr/libexec/gdm-session-worker (hostname=, addr=?,
> terminal=/dev/tty7 res=success)'

OK, so i just remembered that I patched gdm, login, and sshd specifically to 
send the USER_LOGIN event. I did not patch xdm or kdm or shadow-utils login. 
So, I think it will need to be patched to send this one event.

-Steve