Hi, Thank you very much.
On Mon, Jul 19, 2010 at 5:07 PM, Steve Grubb <[email protected]> wrote: > On Monday, July 19, 2010 09:33:11 am List Quest wrote: > > - Trying FTP Connect: > > > > Following lines writing to audit.log > > type=USER_AUTH ... > > type=USER_ACCT ... > > (NO USER_LOGIN LINE?) > > > > Wyh this? > > No one patched the ftp deamon to send it. The USER_LOGIN event is sent by > the > daemon after authentication/authorization completes. This is to distinguish > actual sessions from the pam events you noted which may not actually be > associated with a login (e.g. - crond). Sshd, gdm, kdm, xdm, and login have > all been patched to do this. I'm not entirely sure we considered ftp to be > a > shell giving free access to the system and that would be the most likely > reason its not been patched. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
