I am fairly new to the linux audit subsystem, and have a question that can probably be answered in a one line response. I'm trying to detect when logins (successful) and login attempts (unsuccessful) occur using the auditing subsystem. Is there an auditing rule that can do this? My brief research has shown a syscall, setauid(), available in BSD and SysV; however, it isn't implemented in linux. Also, a rule watching the file "/proc/self/loginuid" will show every time the pam_loginuid.so is called by a point of entry...unfortunately that isn't useful because the uid/euid/auid is always bound to root. Any ideas?

Thanks in advance,
Zach

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to