On Wednesday 28 February 2007 15:31, Mackanick, Jason W CTR DISA GIG-OP wrote: > I am in position of writing technical implimentation guidance for DISA and I > am looking for a method to audit logins/logouts.
We've patched login, gdm, and openssh to send a USER_LOGIN message to denote this event. time->Wed Feb 28 08:12:01 2007 type=USER_LOGIN msg=audit(1172668321.325:113): user pid=2424 uid=0 auid=525 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=525: exe="/usr/sbin/gdm-binary" (hostname=discovery, addr=192.168.1.2, terminal=:0 res=success)' > I have not been able to come up with a syscall that would cover this. Any > help would be appreciated. Its actually a whole series of events that allows a login. Thesequence is: LOGIN, USER_AUTH, USER_START, USER_ACCT, USER_START, CRED_REFR or CRED_ACQ , and then USER_LOGIN. Cron and some other daemons that are pamified can create most of these events as they run. This is why we send a specific event from the app. Aureport looks for USER_LOGIN messages for its login accounting. [root]# aureport --start today Summary Report ====================== Range of time in logs: 10/29/2006 13:11:33.731 - 02/28/2007 16:05:52.479 Selected time for report: 02/28/2007 00:00:01 - 02/28/2007 16:05:52.479 Number of changes in configuration: 0 Number of changes to accounts, groups, or roles: 0 Number of logins: 1 Number of failed logins: 0 Number of authentications: 2 Number of failed authentications: 1 Number of users: 1 Number of terminals: 4 Number of host names: 2 Number of executables: 2 Number of files: 1 Number of AVC denials: 0 Number of MAC events: 0 Number of failed syscalls: 0 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 4 Number of events: 13 If you want more detail, run the login report: [root]# aureport --start today --login -i Login Report ============================================ # date time auid host term exe success event ============================================ 1. 02/28/2007 16:05:38 steve nat.redhat.com /dev/pts/0 /usr/sbin/sshd yes 81 Hope this helps. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
