On Wednesday 28 February 2007 17:48, Paul Whitney wrote: > So does that mean this call audit would not work: > > -a exit,possible -w /bin/login -F success=0 -F success!=0
This would not audit anything for 3 reasons. "possible" tells it to collect the information in case its needed later. The -F options form an "and" condition. Both cannot be true at the same time. And "-w" is watches while "-a" is syscall auditing...you cannot mix the two. You might try: -w /bin/login -p x But that would get you the fact that the file was executed but probably not the results of execution. (It probably should). > What would be an entry to trap users successfully logging in? We've patched the source code to entry points to send specific messages saying the intent of the pam session. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
