* USER_LOGIN
@ 2010-07-19 13:33 List Quest
2010-07-19 14:07 ` USER_LOGIN Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: List Quest @ 2010-07-19 13:33 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 427 bytes --]
Hi;
I reading USER_LOGIN logs fom audit.log.
SSHD login trys loging USER_LOGIN line; but FTP logins no write USER_LOGIN
line?
Example:
- Trying SSH Connect:
Following lines writing to audit.log
type=USER_AUTH ...
type=USER_ACCT ...
type=USER_START...
type=USER_LOGIN...
- Trying FTP Connect:
Following lines writing to audit.log
type=USER_AUTH ...
type=USER_ACCT ...
(NO USER_LOGIN LINE?)
Wyh this?
Thanks
Best Regards
[-- Attachment #1.2: Type: text/html, Size: 506 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: USER_LOGIN
2010-07-19 13:33 USER_LOGIN List Quest
@ 2010-07-19 14:07 ` Steve Grubb
2010-07-20 11:58 ` USER_LOGIN List Quest
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2010-07-19 14:07 UTC (permalink / raw)
To: linux-audit
On Monday, July 19, 2010 09:33:11 am List Quest wrote:
> - Trying FTP Connect:
>
> Following lines writing to audit.log
> type=USER_AUTH ...
> type=USER_ACCT ...
> (NO USER_LOGIN LINE?)
>
> Wyh this?
No one patched the ftp deamon to send it. The USER_LOGIN event is sent by the
daemon after authentication/authorization completes. This is to distinguish
actual sessions from the pam events you noted which may not actually be
associated with a login (e.g. - crond). Sshd, gdm, kdm, xdm, and login have
all been patched to do this. I'm not entirely sure we considered ftp to be a
shell giving free access to the system and that would be the most likely
reason its not been patched.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: USER_LOGIN
2010-07-19 14:07 ` USER_LOGIN Steve Grubb
@ 2010-07-20 11:58 ` List Quest
0 siblings, 0 replies; 3+ messages in thread
From: List Quest @ 2010-07-20 11:58 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 832 bytes --]
Hi,
Thank you very much.
On Mon, Jul 19, 2010 at 5:07 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Monday, July 19, 2010 09:33:11 am List Quest wrote:
> > - Trying FTP Connect:
> >
> > Following lines writing to audit.log
> > type=USER_AUTH ...
> > type=USER_ACCT ...
> > (NO USER_LOGIN LINE?)
> >
> > Wyh this?
>
> No one patched the ftp deamon to send it. The USER_LOGIN event is sent by
> the
> daemon after authentication/authorization completes. This is to distinguish
> actual sessions from the pam events you noted which may not actually be
> associated with a login (e.g. - crond). Sshd, gdm, kdm, xdm, and login have
> all been patched to do this. I'm not entirely sure we considered ftp to be
> a
> shell giving free access to the system and that would be the most likely
> reason its not been patched.
>
> -Steve
>
[-- Attachment #1.2: Type: text/html, Size: 1227 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-07-20 11:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-19 13:33 USER_LOGIN List Quest
2010-07-19 14:07 ` USER_LOGIN Steve Grubb
2010-07-20 11:58 ` USER_LOGIN List Quest
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox