On Wednesday 07 November 2007 15:35:00 Zachary Shay wrote: > I'm trying to detect when logins (successful) and login attempts > (unsuccessful) occur using the auditing subsystem.
This is done automatically for you as long as the audit system is enabled. Changing the loginuid generates this record: type=LOGIN msg=audit(1194465501.865:7462): login pid=9651 uid=0 old auid=4294967295 new auid=500 But just because a loginuid (auid) was changed does not mean that a login occurred. For example, cron sets the auid when it runs a script on behalf of a user. In that case, no one logged in. To distinguish actual logins from other loginuid changes, the entry point daemons have been modified to send a USER_LOGIN event right after the pam_session would have been attempted to be started. These events look like this: type=USER_LOGIN msg=audit(1194448956.798:186): user pid=2261 uid=0 auid=500 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=localhost, addr=127.0.0.1, terminal=:0 res=success)' > Is there an auditing rule that can do this? No, its hardwired so you don't have anything to configure for this kind of event. You can suppress this with a rule if you didn't want it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
