Bob, >> it didn't look like failed logins on the gnome desktop were generating events. I realize this may be particular to RHEL_64, >> but I also figured I could just have an outdated package.
Based on my limited exposure to RHEL4 x86_64 and bz 196233, I was getting login/logout information with the standard RHEL4U4 kernel, but I wasn't getting any of the syscall stuff before installing the test kernel Jason was providing ( http://people.redhat.com/~jbaron/rhel4/ ). Steve Grubb said that Jason's fix will be committed in stream U5 build 42.20. It sounds like you are having the opposite problem though (getting syscall stuff but not he login/logout stuff). This seems odd because the login/logout stuff is supposed to be built in ... you aren't filtering out the login/logout message types by chance are you? Steve sent out a sample the other day for someone who asked how to do this (-a exclude,always -F msgtype>=1100 -F msgtype<=1299 -a exclude,always -F msgtype>=1400 -F msgtype<=2999). It could be that you are seeing a different variant of bug bz196233 since you are on FC rather than RHEL, but I would think that if the syscall stuff is showing up, that you've probably already got a fix in place for bz196233 ... The other thing you might do is to compare the sample capp.rules to your audit.rules. When we set up our initial test audit.rules file, we tried a few things from the sample capp.rules file, and I recall that there were a few things you had to uncomment based on whether you were on 32-bit or 64-bit. If you have something similar in your audit.rules, you may need the 64-bit flavor of the rule. Good luck, Karen Wieprecht -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
