On Thu, 2008-10-30 at 06:34 -0400, Steve Grubb wrote: > > Nope...somewhere the pam originating events are being eaten. You might strace > an xdm login and look for some sendto's followed immediately by recvfrom's to > the audit socket. If they are missing entirely, then xdm is not calling pam. > If they are there, we'd want to look at the return code to see if its having > an error. Is xdm running as root at the point pam is called? Are there > selinux rules? Are there dontaudit rules eating this? >
I bet you're right. I'll look for this. I hate it when my own policy foils me... :) I appreciate the advice, LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit