Classification: UNCLASSIFIED Caveats: NONE I am running the standard auditd delivered with rhel4. What is the latest set of rpm's that I should have to see the login functionality? I am on a non-internet-connected network that I can not use up2date for packages.
Jason Mackanick, CISSP DISA FSO Supports & Standards Section Technical Support Team -----Original Message----- From: Steve Grubb [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 28, 2007 5:54 PM To: [email protected] Cc: Paul Whitney; [EMAIL PROTECTED]; Mackanick, Jason W CTR DISA GIG-OP Subject: Re: Login/Logouts (UNCLASSIFIED) On Wednesday 28 February 2007 17:48, Paul Whitney wrote: > So does that mean this call audit would not work: > > -a exit,possible -w /bin/login -F success=0 -F success!=0 This would not audit anything for 3 reasons. "possible" tells it to collect the information in case its needed later. The -F options form an "and" condition. Both cannot be true at the same time. And "-w" is watches while "-a" is syscall auditing...you cannot mix the two. You might try: -w /bin/login -p x But that would get you the fact that the file was executed but probably not the results of execution. (It probably should). > What would be an entry to trap users successfully logging in? We've patched the source code to entry points to send specific messages saying the intent of the pam session. -Steve Classification: UNCLASSIFIED Caveats: NONE -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
