From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Audit Prelude Logout Tracking Date: Wed, 18 Feb 2009 16:58:36 -0500 Message-ID: <499C848C.6020401@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1ILwkeT019561 for ; Wed, 18 Feb 2009 16:58:46 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1ILwbQU018226 for ; Wed, 18 Feb 2009 16:58:37 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id 4BE59DA00A4 for ; Wed, 18 Feb 2009 16:58:37 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 15CC0DA0094 for ; Wed, 18 Feb 2009 16:58:37 -0500 (EST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I''m working on an X86_64 RHEL 5.2 system and for NISPOM Chapt. 8 I'm looking to modify the audisp-prelude plugin so that I can get logout events displayed. I see the information in the audit.log as USER_END and have done a small mod in the handle_event routine in audisp-prelude.c so that it looks for AUDIT_USER_END but I've run across the following things: 1) sshd goes through a login/logout cycle ending in USER_END and all is good. node=node01 type=USER_END msg=audit(1234979707.894:203): user pid=7422 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/sshd" (hostname=master, addr=10.1.4.100, terminal=ssh res=success)' 2) gdm-binary goes through the same login/logout cycle, but on the USER_END audit message it is missing some information, in particular the source hostname: node=master type=USER_END msg=audit(1234988646.589:364): user pid=6868 uid=0 auid=0 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' 3) When crond runs, it goes through a similar cycle (but without the USER_LOGIN step) ending with USER_END node=master type=USER_END msg=audit(1234989001.710:371): user pid=9517 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' I want to ignore the crond operations and be able to fill in the information from gdm-binary. Has any one done this prelude logout tracking before or have any ideas how I can proceed. As always, a pointer to more information is quite acceptable. Dan