Yup, you are absolutely right.
FC5 currently has an update to 4.3p2-12 (not 13 yet), and it doesn't work
FC6 currently runs 4.3p2-19, and it does indeed produce the logout event.
Thanks for the quick feedback!
Steve Grubb wrote:
On Thursday 03 May 2007 10:00, Robert Evans wrote:
In doing some testing with the last audit module (testing on FC5) I found
the following behavior
1. login and logout events recorded from GDM login
2. login and logout events recorded from su
3. login events recorded from ssh connections, no logout events (USER_END)
logged.
Login is marked by the USER_LOGIN event. There should be a USER_START event
that identifies the beginning of the session. A USER_END event denotes the
end of the session. So, for "su"...you should see a session begin, not a
login.
Is there something I need to do to catch these ssh disconnects?
Update openssh. This was a bug in that the logging of this event was done from
a place where not enough privileges existed. I think 4.3p2-13 has the fix
for it.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
