From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Whitney Subject: Re: Login/Logouts (UNCLASSIFIED) Date: Wed, 28 Feb 2007 17:48:54 -0500 Message-ID: References: <200702282118.l1SLIQo3017127@turing-police.cc.vt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l1SMnHNm014860 for ; Wed, 28 Feb 2007 17:49:18 -0500 Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.172]) by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l1SMn9KE028954 for ; Wed, 28 Feb 2007 17:49:10 -0500 Received: from mac.com (smtpin02-en2 [10.13.10.147]) by smtpout.mac.com (Xserve/8.12.11/smtpout02/MantshX 4.0) with ESMTP id l1SMn8JL004739 for ; Wed, 28 Feb 2007 14:49:08 -0800 (PST) Received: from paul-whitneys-powerbook-g4-17.local (c-69-243-85-252.hsd1.md.comcast.net [69.243.85.252]) (authenticated bits=0) by mac.com (Xserve/smtpin02/MantshX 4.0) with ESMTP id l1SMmx8B021015 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 28 Feb 2007 14:49:06 -0800 (PST) In-Reply-To: <200702282118.l1SLIQo3017127@turing-police.cc.vt.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valdis.Kletnieks@vt.edu, "Mackanick, Jason W CTR DISA GIG-OP" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 So does that mean this call audit would not work: - -a exit,possible -w /bin/login -F success=0 -F success!=0 What would be an entry to trap users successfully logging in? Paul Whitney Paul.whitney@mac.com On 2/28/07 4:18 PM, "Valdis.Kletnieks@vt.edu" wrote: > * PGP Signed by an unverified key: 02/28/07 at 16:18:26 > On Wed, 28 Feb 2007 15:31:41 EST, "Mackanick, Jason W CTR DISA GIG-OP" > said: > >> Newbie to the list. I am in position of writing technical >> implimentation guidance for DISA and I am looking for a method to audit >> logins/logouts. I have not been able to come up with a syscall that >> would cover this. Any help would be appreciated. > > That's because "login" isn't a single syscall, and a lot of things happen > during a login - many files get read, programs get run, and so on. > That's why things like gdm, getty, and ssh are modified to cut a > non-syscall > audit record when a user logs in. > * Valdis Kletnieks > * 0xB4D3D7B0 - Unverified (L) > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQEVAwUBReYGxbdVg+viRqgEAQhLOQgAg5/QLzVIl1raeQdZ7l9nv++wma+fVre9 eo4WifDvQIA07rttrpXkJhYGbDYHKOoWZQzgMfYW77pNJjBgmyopFUmqGMlLoNym 0rF9tT6rdexpgEheqm0yNjL6S2B2iGU3rg+fY3KiLOEy42b0bpfWbExTE21PEB7l 1MS/pZSnbmNSEe0Jg4vH+8iNdMKBdIfr8qWCr4pSFoWr9eOcI0vaCHUWEdmbtynu wpWlFwCEJ46Mm/YdPC8FRCHzOuLGHjp6GyoFVcc6tHWZ982KSR0l9a9+Q5EBE8vD nZcfpKB0Xmcp3mtoN/V4ZryCHpuGYgwUzVimcHcqRI9stqecfkjMMw== =js9E -----END PGP SIGNATURE-----